chore: copy

style: show lock icon for encrypted profiles
refactor: add cleanup for expired subscriptions
2026-06-30 10:25:29 +02:00 · 2026-03-02 23:35:04 +04:00 · 2026-03-02 19:12:11 +04:00 · 2026-03-02 18:49:47 +04:00 · 2026-03-02 16:24:10 +04:00 · 2026-03-02 15:49:26 +04:00
77 changed files with 8623 additions and 1453 deletions
@@ -27,7 +27,7 @@ Hi there! To expedite issue processing please search open and closed issues befo

 ## Your Environment

-<!-- Please provide as much information as you feel comfortable to help us understand the issue better -->
+<!-- Please provide as much information as you feel comfortable to help the maintainers understand the issue better -->

 ## Exception or Error or Screenshot

@@ -33,7 +33,7 @@ jobs:

      - name: Validate issue with AI
        id: validate
-        uses: actions/ai-inference@a380166897b5408b8fb7dddd148142794cb5624a # v2.0.6
+        uses: actions/ai-inference@e09e65981758de8b2fdab13c2bfb7c7d5493b0b6 # v2.0.7
        with:
          prompt-file: .github/prompts/issue-validation.prompt.yml
          input: |
@@ -97,21 +97,21 @@ jobs:
            {
              printf "%b" "$GREETING_SECTION"
              printf "## 🤖 Issue Validation\n\n"
-              printf "Thank you for submitting this issue! However, it appears that some required information might be missing to help us better understand and address your concern.\n\n"
+              printf "Thank you for submitting this issue! However, it appears that some required information might be missing to help the maintainers better understand and address your concern.\n\n"
              printf "**Issue Type Detected:** \`%s\`\n\n" "$ISSUE_TYPE"
              printf "**Assessment:** %s\n\n" "$ASSESSMENT"
              printf "### 📋 Missing Information:\n%s\n\n" "$MISSING_INFO"
              printf "### 💡 Suggestions for Improvement:\n%s\n\n" "$SUGGESTIONS"
              printf "### 📝 How to Provide Additional Information:\n\n"
-              printf "Please edit your original issue description to include the missing information. Here are our issue templates for reference:\n\n"
+              printf "Please edit your original issue description to include the missing information. Here are the issue templates for reference:\n\n"
              printf -- "- **Bug Report Template:** [View Template](.github/ISSUE_TEMPLATE/01-bug-report.md)\n"
              printf -- "- **Feature Request Template:** [View Template](.github/ISSUE_TEMPLATE/02-feature-request.md)\n\n"
              printf "### 🔧 Quick Tips:\n"
              printf -- "- For **bug reports**: Include step-by-step reproduction instructions, your environment details, and any error messages\n"
              printf -- "- For **feature requests**: Describe the use case, expected behavior, and why this feature would be valuable\n"
              printf -- "- Add **screenshots** or **logs** when applicable\n\n"
-              printf "Once you have updated the issue with the missing information, feel free to remove this comment or reply to let us know you have made the updates.\n\n"
-              printf -- "---\n*This validation was performed automatically to ensure we have all the information needed to help you effectively.*\n"
+              printf "Once you have updated the issue with the missing information, feel free to remove this comment or reply to let the maintainers know the updates have been made.\n\n"
+              printf -- "---\n*This validation was performed automatically to ensure all the information needed to help effectively is provided.*\n"
            } > comment.md

            gh issue comment ${{ github.event.issue.number }} --body-file comment.md
@@ -144,7 +144,7 @@ jobs:
          fi

      - name: Run opencode analysis
-        uses: anomalyco/opencode/github@296250f1b7e1ec992a3a33bee999f5e09a1697d0 #v1.2.10
+        uses: anomalyco/opencode/github@799b2623cbb1c0f19e045d87c2c8593e83678bc0 #v1.2.15
        env:
          ZHIPU_API_KEY: ${{ secrets.ZHIPU_API_KEY }}
        with:
@@ -193,7 +193,7 @@ jobs:

      - name: Analyze PR with AI
        id: analyze
-        uses: actions/ai-inference@a380166897b5408b8fb7dddd148142794cb5624a # v2.0.6
+        uses: actions/ai-inference@e09e65981758de8b2fdab13c2bfb7c7d5493b0b6 # v2.0.7
        with:
          prompt-file: .github/prompts/pr-review.prompt.yml
          input: |
@@ -273,7 +273,7 @@ jobs:
          gh pr comment ${{ github.event.pull_request.number }} --body-file comment.md

      - name: Run opencode analysis
-        uses: anomalyco/opencode/github@296250f1b7e1ec992a3a33bee999f5e09a1697d0 #v1.2.10
+        uses: anomalyco/opencode/github@799b2623cbb1c0f19e045d87c2c8593e83678bc0 #v1.2.15
        env:
          ZHIPU_API_KEY: ${{ secrets.ZHIPU_API_KEY }}
        with:
@@ -295,7 +295,7 @@ jobs:
        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 #v6.0.1

      - name: Run opencode
-        uses: anomalyco/opencode/github@296250f1b7e1ec992a3a33bee999f5e09a1697d0 #v1.2.10
+        uses: anomalyco/opencode/github@799b2623cbb1c0f19e045d87c2c8593e83678bc0 #v1.2.15
        env:
          ZHIPU_API_KEY: ${{ secrets.ZHIPU_API_KEY }}
        with:
@@ -82,7 +82,7 @@ jobs:
      - name: Generate release notes with AI
        id: generate-notes
        if: steps.get-release.outputs.is-prerelease == 'false'
-        uses: actions/ai-inference@a380166897b5408b8fb7dddd148142794cb5624a # v2.0.6
+        uses: actions/ai-inference@e09e65981758de8b2fdab13c2bfb7c7d5493b0b6 # v2.0.7
        with:
          prompt-file: .github/prompts/release-notes.prompt.yml
          input: |
@@ -254,7 +254,7 @@ jobs:
          ls -la /tmp/packages/

      - name: Setup Go
-        uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff #v5.6.0
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 #v6.3.0
        with:
          go-version: "1.23"
          cache: false
@@ -328,5 +328,6 @@ jobs:
        env:
          HOMEBREW_GITHUB_API_TOKEN: ${{ secrets.HOMEBREW_GITHUB_API_TOKEN }}
        run: |
+          brew tap --force homebrew/cask
          VERSION="${GITHUB_REF_NAME#v}"
          brew bump-cask-pr --version "$VERSION" --no-browse donut
@@ -23,4 +23,4 @@ jobs:
      - name: Checkout Actions Repository
        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 #v6.0.1
      - name: Spell Check Repo
-        uses: crate-ci/typos@57b11c6b7e54c402ccd9cda953f1072ec4f78e33 #v1.43.5
+        uses: crate-ci/typos@631208b7aac2daa8b707f55e7331f9112b0e062d #v1.44.0
@@ -46,6 +46,7 @@
    "direnv",
    "distro",
    "dists",
+    "DMABUF",
    "doctest",
    "doesn",
    "domcontentloaded",
@@ -96,6 +97,7 @@
    "libayatana",
    "libc",
    "libcairo",
+    "libfuse",
    "libgdk",
    "libglib",
    "libpango",
@@ -1,10 +1,10 @@
 # Code of Conduct

-All participants of the Donut Browser project (referred to as "the project") are expected to abide by our Code of Conduct, both online and during in-person events that are hosted and/or associated with the project.
+All participants of the Donut Browser project (referred to as "the project") are expected to abide by this Code of Conduct, both online and during in-person events that are hosted and/or associated with the project.

 ## The Pledge

-In the interest of fostering an open and welcoming environment, we pledge to make participation in our project and our community a harassment-free experience for everyone, regardless of age, body size, disability, ethnicity, gender identity and expression, level of experience, nationality, personal appearance, race, religion, or sexual identity and orientation.
+In the interest of fostering an open and welcoming environment, the maintainers pledge to make participation in the project and the community a harassment-free experience for everyone, regardless of age, body size, disability, ethnicity, gender identity and expression, level of experience, nationality, personal appearance, race, religion, or sexual identity and orientation.

 ## The Standards

@@ -25,4 +25,4 @@ Examples of unacceptable behavior by participants include:

 Violations of the Code of Conduct may be reported to [contact@donutbrowser.com](mailto:contact@donutbrowser.com). All reports will be reviewed and investigated and will result in a response that is deemed necessary and appropriate to the circumstances. Further details of specific enforcement policies may be posted separately.

-We hold the right and responsibility to remove comments or other contributions that are not aligned to this Code of Conduct, or to ban temporarily or permanently any members for other behaviors that they deem inappropriate, threatening, offensive, or harmful.
+The maintainers hold the right and responsibility to remove comments or other contributions that are not aligned to this Code of Conduct, or to ban temporarily or permanently any members for other behaviors that are deemed inappropriate, threatening, offensive, or harmful.
@@ -10,11 +10,11 @@ Do keep in mind before you start working on an issue / posting a PR:

 - Search existing PRs related to that issue which might close them
 - Confirm if other contributors are working on the same issue
- Check if the feature aligns with our roadmap and project goals
+- Check if the feature aligns with the project's roadmap and goals

 ## Contributor License Agreement

-By contributing to Donut Browser, you agree that your contributions will be licensed under the same terms as the project. You must agree to our [Contributor License Agreement](CONTRIBUTOR_LICENSE_AGREEMENT.md) before your contributions can be accepted. This agreement ensures that:
+By contributing to Donut Browser, you agree that your contributions will be licensed under the same terms as the project. You must agree to the [Contributor License Agreement](CONTRIBUTOR_LICENSE_AGREEMENT.md) before your contributions can be accepted. This agreement ensures that:

 - Your contributions can be used in the open source version of Donut Browser (licensed under AGPL-3.0)
 - Donut Browser can offer commercial licenses for the software, including your contributions
@@ -27,7 +27,7 @@ When you submit your first pull request, you acknowledge that you agree to the t
 - PRs with tests are highly appreciated
 - Avoid adding third party libraries, whenever possible
 - Unless you are helping out by updating dependencies, you should not be uploading your lock files or updating any dependencies in your PR
- If you are unsure where to start, open a discussion and we will point you to a good first issue
+- If you are unsure where to start, open a discussion to get pointed to a good first issue

 ## Development Setup

@@ -80,7 +80,7 @@ This will start the app for local development with live reloading.

 ## Code Style & Quality

-We use several tools to maintain code quality:
+The project uses several tools to maintain code quality:

 - **Biome** for JavaScript/TypeScript linting and formatting
 - **Clippy** for Rust linting
@@ -88,7 +88,7 @@ We use several tools to maintain code quality:

 ### Before Committing

-Run these commands to ensure your code meets our standards:
+Run these commands to ensure your code meets the project's standards:

 ```bash
 # Format and lint frontend code
@@ -151,7 +151,7 @@ Refs #00000

 ### PR Checklist

- [ ] Code follows our style guidelines
+- [ ] Code follows the project's style guidelines
 - [ ] I have performed a self-review of my code
 - [ ] I have commented my code, particularly in hard-to-understand areas
 - [ ] I have made corresponding changes to the documentation
@@ -187,7 +187,7 @@ Please note that this project is released with a [Contributor Code of Conduct](C

 ## Recognition

-All contributors will be recognized! We use the all-contributors specification to acknowledge everyone who contributes to the project.
+All contributors will be recognized! The project uses the all-contributors specification to acknowledge everyone who contributes.

 ---

@@ -42,6 +42,19 @@

 The app can be downloaded from the [releases page](https://github.com/zhom/donutbrowser/releases/latest).

+<details>
+<summary>Troubleshooting AppImage on Linux</summary>
+
+If the AppImage segfaults on launch, install **libfuse2** (`sudo apt install libfuse2` / `yay -S libfuse2` / `sudo dnf install fuse-libs`), or bypass FUSE entirely:
+
+```bash
+APPIMAGE_EXTRACT_AND_RUN=1 ./Donut.Browser_x.x.x_amd64.AppImage
+```
+
+If that gives an EGL display error, try adding `WEBKIT_DISABLE_DMABUF_RENDERER=1` or `GDK_BACKEND=x11` to the command above. If issues persist, the **.deb** / **.rpm** packages are a more reliable alternative.
+
+</details>
+
 <!-- ## Supported Platforms

 - ✅ **macOS** (Apple Silicon)
@@ -64,7 +77,7 @@ Donut Browser supports syncing profiles, proxies, and groups across devices via

 ## Community

-Have questions or want to contribute? We'd love to hear from you!
+Have questions or want to contribute? The team would love to hear from you!

 - **Issues**: [GitHub Issues](https://github.com/zhom/donutbrowser/issues)
 - **Discussions**: [GitHub Discussions](https://github.com/zhom/donutbrowser/discussions)
@@ -113,7 +126,7 @@ Have questions or want to contribute? We'd love to hear from you!

 ## Contact

-Have an urgent question or want to report a security vulnerability? Send an email to [contact@donutbrowser.com](mailto:contact@donutbrowser.com) and we'll get back to you as fast as possible.
+Have an urgent question or want to report a security vulnerability? Send an email to [contact@donutbrowser.com](mailto:contact@donutbrowser.com) and the team will get back to you as fast as possible.

 ## License

@@ -18,8 +18,8 @@
    "test:e2e": "jest --config ./test/jest-e2e.json"
  },
  "dependencies": {
-    "@aws-sdk/client-s3": "^3.996.0",
-    "@aws-sdk/s3-request-presigner": "^3.996.0",
+    "@aws-sdk/client-s3": "^3.1000.0",
+    "@aws-sdk/s3-request-presigner": "^3.1000.0",
    "@nestjs/common": "^11.1.14",
    "@nestjs/config": "^4.0.3",
    "@nestjs/core": "^11.1.14",
@@ -35,8 +35,8 @@
    "@types/express": "^5.0.6",
    "@types/jest": "^30.0.0",
    "@types/jsonwebtoken": "^9.0.10",
-    "@types/node": "^25.3.0",
-    "@types/supertest": "^6.0.3",
+    "@types/node": "^25.3.3",
+    "@types/supertest": "^7.2.0",
    "jest": "^30.2.0",
    "source-map-support": "^0.5.21",
    "supertest": "^7.2.2",
@@ -43,6 +43,7 @@ export class AuthGuard implements CanActivate {
        prefix: "",
        teamPrefix: null,
        profileLimit: 0,
+        teamProfileLimit: 0,
      } satisfies UserContext;
      return true;
    }
@@ -59,6 +60,7 @@ export class AuthGuard implements CanActivate {
          prefix: decoded.prefix || `users/${decoded.sub}/`,
          teamPrefix: decoded.teamPrefix || null,
          profileLimit: decoded.profileLimit || 0,
+          teamProfileLimit: decoded.teamProfileLimit || 0,
        } satisfies UserContext;
        return true;
      } catch (err) {
@@ -3,4 +3,5 @@ export interface UserContext {
  prefix: string; // '' for self-hosted, 'users/{id}/' for cloud
  teamPrefix: string | null; // 'teams/{id}/' or null
  profileLimit: number; // 0 for unlimited (self-hosted)
+  teamProfileLimit: number; // 0 for unlimited or non-team users
 }
@@ -0,0 +1,38 @@
+import {
+  Body,
+  Controller,
+  Headers,
+  HttpCode,
+  Post,
+  UnauthorizedException,
+} from "@nestjs/common";
+import { ConfigService } from "@nestjs/config";
+import { SyncService } from "./sync.service.js";
+
+@Controller("v1/internal")
+export class InternalController {
+  private readonly internalKey: string | undefined;
+
+  constructor(
+    private readonly syncService: SyncService,
+    private readonly configService: ConfigService,
+  ) {
+    this.internalKey = this.configService.get<string>("INTERNAL_KEY");
+  }
+
+  @Post("cleanup-excess-profiles")
+  @HttpCode(200)
+  async cleanupExcessProfiles(
+    @Headers("x-internal-key") key: string,
+    @Body() body: { userId: string; maxProfiles: number },
+  ) {
+    if (!this.internalKey || key !== this.internalKey) {
+      throw new UnauthorizedException("Invalid internal key");
+    }
+
+    return this.syncService.cleanupExcessProfiles(
+      body.userId,
+      body.maxProfiles,
+    );
+  }
+}
@@ -1,10 +1,11 @@
 import { Module } from "@nestjs/common";
 import { AuthGuard } from "../auth/auth.guard.js";
+import { InternalController } from "./internal.controller.js";
 import { SyncController } from "./sync.controller.js";
 import { SyncService } from "./sync.service.js";

@Module({
-  controllers: [SyncController],
+  controllers: [SyncController, InternalController],
  providers: [SyncService, AuthGuard],
  exports: [SyncService],
 })
@@ -145,6 +145,7 @@ export class SyncService implements OnModuleInit {
   */
  private scopeKey(ctx: UserContext, key: string): string {
    if (ctx.mode === "self-hosted") return key;
+    if (ctx.teamPrefix && key.startsWith(ctx.teamPrefix)) return key;
    return `${ctx.prefix}${key}`;
  }

@@ -309,10 +310,12 @@ export class SyncService implements OnModuleInit {
    );

    const userPrefix = ctx?.prefix || "";
+    const teamPrefix = ctx?.teamPrefix || "";
    const objects = (response.Contents || []).map((obj) => {
-      // Strip user prefix from returned keys so client sees relative keys
      let key = obj.Key || "";
-      if (userPrefix && key.startsWith(userPrefix)) {
+      if (teamPrefix && key.startsWith(teamPrefix)) {
+        key = key.substring(teamPrefix.length);
+      } else if (userPrefix && key.startsWith(userPrefix)) {
        key = key.substring(userPrefix.length);
      }
      return {
@@ -481,11 +484,15 @@ export class SyncService implements OnModuleInit {
  ): Observable<SubscribeEventDto> {
    const basePrefixes = ["profiles/", "proxies/", "groups/", "tombstones/"];

-    // Scope prefixes for cloud users; self-hosted gets root prefixes
-    const prefixes =
-      ctx.mode === "self-hosted"
-        ? basePrefixes
-        : basePrefixes.map((p) => `${ctx.prefix}${p}`);
+    let prefixes: string[];
+    if (ctx.mode === "self-hosted") {
+      prefixes = basePrefixes;
+    } else {
+      prefixes = basePrefixes.map((p) => `${ctx.prefix}${p}`);
+      if (ctx.teamPrefix) {
+        prefixes.push(...basePrefixes.map((p) => `${ctx.teamPrefix}${p}`));
+      }
+    }

    // Per-connection state (not shared across subscribers)
    let lastKnownState = new Map<string, string>();
@@ -547,6 +554,135 @@ export class SyncService implements OnModuleInit {
    this.changeSubject.next(event);
  }

+  async cleanupExcessProfiles(
+    userId: string,
+    maxProfiles: number,
+  ): Promise<{ deletedProfiles: string[]; remaining: number }> {
+    const userPrefix = `users/${userId}/`;
+    const profilePrefix = `${userPrefix}profiles/`;
+
+    // List all profile directories
+    const profiles: { id: string; lastModified: Date }[] = [];
+    let continuationToken: string | undefined;
+
+    do {
+      const result = await this.s3Client.send(
+        new ListObjectsV2Command({
+          Bucket: this.bucket,
+          Prefix: profilePrefix,
+          Delimiter: "/",
+          MaxKeys: 1000,
+          ContinuationToken: continuationToken,
+        }),
+      );
+
+      if (result.CommonPrefixes) {
+        for (const cp of result.CommonPrefixes) {
+          if (!cp.Prefix) continue;
+          const profileId = cp.Prefix.replace(profilePrefix, "").replace(
+            /\/$/,
+            "",
+          );
+
+          // Get creation time from first object in the profile directory
+          const objects = await this.s3Client.send(
+            new ListObjectsV2Command({
+              Bucket: this.bucket,
+              Prefix: cp.Prefix,
+              MaxKeys: 1,
+            }),
+          );
+
+          const firstObj = objects.Contents?.[0];
+          profiles.push({
+            id: profileId,
+            lastModified: firstObj?.LastModified || new Date(0),
+          });
+        }
+      }
+
+      continuationToken = result.NextContinuationToken;
+    } while (continuationToken);
+
+    if (profiles.length <= maxProfiles) {
+      return { deletedProfiles: [], remaining: profiles.length };
+    }
+
+    // Sort newest first — delete newest excess profiles
+    profiles.sort(
+      (a, b) => b.lastModified.getTime() - a.lastModified.getTime(),
+    );
+
+    const excessCount = profiles.length - maxProfiles;
+    const toDelete = profiles.slice(0, excessCount);
+    const deletedProfiles: string[] = [];
+
+    for (const profile of toDelete) {
+      const prefix = `${profilePrefix}${profile.id}/`;
+
+      // Delete all objects under this profile
+      let delToken: string | undefined;
+      do {
+        const listResult = await this.s3Client.send(
+          new ListObjectsV2Command({
+            Bucket: this.bucket,
+            Prefix: prefix,
+            MaxKeys: 1000,
+            ContinuationToken: delToken,
+          }),
+        );
+
+        const objects = listResult.Contents || [];
+        if (objects.length > 0) {
+          const deleteObjects = objects
+            .filter((obj): obj is typeof obj & { Key: string } => !!obj.Key)
+            .map((obj) => ({ Key: obj.Key }));
+
+          if (deleteObjects.length > 0) {
+            await this.s3Client.send(
+              new DeleteObjectsCommand({
+                Bucket: this.bucket,
+                Delete: { Objects: deleteObjects, Quiet: true },
+              }),
+            );
+          }
+        }
+
+        delToken = listResult.NextContinuationToken;
+      } while (delToken);
+
+      // Create tombstone
+      const tombstoneKey = `${userPrefix}tombstones/profiles/${profile.id}`;
+      const tombstoneData = JSON.stringify({
+        prefix: `profiles/${profile.id}/`,
+        deleted_at: new Date().toISOString(),
+        reason: "excess_profile_cleanup",
+      });
+
+      await this.s3Client.send(
+        new PutObjectCommand({
+          Bucket: this.bucket,
+          Key: tombstoneKey,
+          Body: tombstoneData,
+          ContentType: "application/json",
+        }),
+      );
+
+      deletedProfiles.push(profile.id);
+      this.logger.log(
+        `Cleaned up excess profile ${profile.id} for user ${userId}`,
+      );
+    }
+
+    // Report updated profile usage to backend
+    const remaining = profiles.length - deletedProfiles.length;
+    await this.reportProfileUsage(userId, remaining).catch((err) =>
+      this.logger.warn(`Failed to report usage after cleanup: ${err.message}`),
+    );
+
+    return { deletedProfiles, remaining };
+  }
+
  /**
   * Check if the user has reached their profile limit.
   * Counts objects in the profiles/ prefix.
@@ -554,16 +690,33 @@ export class SyncService implements OnModuleInit {
  private async checkProfileLimit(ctx: UserContext): Promise<void> {
    if (ctx.profileLimit <= 0) return; // 0 = unlimited

-    const profilePrefix = `${ctx.prefix}profiles/`;
-    const result = await this.s3Client.send(
+    let count = 0;
+
+    const userResult = await this.s3Client.send(
      new ListObjectsV2Command({
        Bucket: this.bucket,
-        Prefix: profilePrefix,
+        Prefix: `${ctx.prefix}profiles/`,
        Delimiter: "/",
      }),
    );
+    count += userResult.CommonPrefixes?.length || 0;
+
+    if (ctx.teamPrefix && ctx.teamProfileLimit && ctx.teamProfileLimit > 0) {
+      const teamResult = await this.s3Client.send(
+        new ListObjectsV2Command({
+          Bucket: this.bucket,
+          Prefix: `${ctx.teamPrefix}profiles/`,
+          Delimiter: "/",
+        }),
+      );
+      const teamCount = teamResult.CommonPrefixes?.length || 0;
+      if (teamCount >= ctx.teamProfileLimit) {
+        throw new ForbiddenException(
+          `Team profile limit reached (${ctx.teamProfileLimit}). Ask the team owner to upgrade.`,
+        );
+      }
+    }

-    const count = result.CommonPrefixes?.length || 0;
    if (count >= ctx.profileLimit) {
      throw new ForbiddenException(
        `Profile limit reached (${ctx.profileLimit}). Upgrade your plan for more profiles.`,
@@ -604,6 +757,35 @@ export class SyncService implements OnModuleInit {
    return match ? match[1] : null;
  }

+  private async countTeamProfiles(ctx: UserContext): Promise<number> {
+    if (!ctx.teamPrefix) return 0;
+    const profilePrefix = `${ctx.teamPrefix}profiles/`;
+    let count = 0;
+    let continuationToken: string | undefined;
+
+    do {
+      const result = await this.s3Client.send(
+        new ListObjectsV2Command({
+          Bucket: this.bucket,
+          Prefix: profilePrefix,
+          Delimiter: "/",
+          MaxKeys: 1000,
+          ContinuationToken: continuationToken,
+        }),
+      );
+      count += result.CommonPrefixes?.length || 0;
+      continuationToken = result.NextContinuationToken;
+    } while (continuationToken);
+
+    return count;
+  }
+
+  private extractTeamId(ctx: UserContext): string | null {
+    if (!ctx.teamPrefix) return null;
+    const match = ctx.teamPrefix.match(/^teams\/([^/]+)\/$/);
+    return match ? match[1] : null;
+  }
+
  /**
   * Fire-and-forget: count profiles and report to backend.
   */
@@ -614,7 +796,17 @@ export class SyncService implements OnModuleInit {
    if (!userId) return;

    this.countProfiles(ctx)
-      .then((count) => this.reportProfileUsage(userId, count))
+      .then(async (count) => {
+        await this.reportProfileUsage(userId, count);
+
+        if (ctx.teamPrefix) {
+          const teamCount = await this.countTeamProfiles(ctx);
+          const teamId = this.extractTeamId(ctx);
+          if (teamId) {
+            await this.reportProfileUsage(teamId, teamCount);
+          }
+        }
+      })
      .catch((err) =>
        this.logger.warn(`Failed to report profile usage: ${err.message}`),
      );
@@ -57,7 +57,7 @@
    "color": "^5.0.3",
    "flag-icons": "^7.5.0",
    "i18next": "^25.8.13",
-    "lucide-react": "^0.575.0",
+    "lucide-react": "^0.576.0",
    "motion": "^12.34.3",
    "next": "^16.1.6",
    "next-themes": "^0.4.6",
@@ -76,12 +76,12 @@
    "@tailwindcss/postcss": "^4.2.1",
    "@tauri-apps/cli": "~2.10.0",
    "@types/color": "^4.2.0",
-    "@types/node": "^25.3.0",
+    "@types/node": "^25.3.3",
    "@types/react": "^19.2.14",
    "@types/react-dom": "^19.2.3",
    "@vitejs/plugin-react": "^5.1.4",
    "husky": "^9.1.7",
-    "lint-staged": "^16.2.7",
+    "lint-staged": "^16.3.1",
    "tailwindcss": "^4.2.1",
    "ts-unused-exports": "^11.0.1",
    "tw-animate-css": "^1.4.0",
@@ -795,6 +795,15 @@ dependencies = [
 "bzip2-sys",
 ]

+[[package]]
+name = "bzip2"
+version = "0.6.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f3a53fac24f34a81bc9954b5d6cfce0c21e18ec6959f44f56e8e90e4bb7c346c"
+dependencies = [
+ "libbz2-rs-sys",
+]
+
 [[package]]
 name = "bzip2-sys"
 version = "0.1.13+1.0.8"
@@ -1405,9 +1414,9 @@ checksum = "092966b41edc516079bdf31ec78a2e0588d1d0c08f78b91d8307215928642b2b"

 [[package]]
 name = "deflate64"
-version = "0.1.10"
+version = "0.1.11"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "26bf8fc351c5ed29b5c2f0cbbac1b209b74f60ecd62e675a998df72c49af5204"
+checksum = "807800ff3288b621186fe0a8f3392c4652068257302709c24efd918c3dffcdc2"

 [[package]]
 name = "defmt"
@@ -1533,9 +1542,9 @@ checksum = "bd0c93bb4b0c6d9b77f4435b0ae98c24d17f1c45b2ff844c6151a07256ca923b"

 [[package]]
 name = "dispatch2"
-version = "0.3.0"
+version = "0.3.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "89a09f22a6c6069a18470eb92d2298acf25463f14256d24778e1230d789a2aec"
+checksum = "1e0e367e4e7da84520dedcac1901e4da967309406d1e51017ae1abfb97adbd38"
 dependencies = [
 "bitflags 2.11.0",
 "block2",
@@ -1598,7 +1607,7 @@ dependencies = [
 "base64 0.22.1",
 "blake3",
 "boringtun",
- "bzip2",
+ "bzip2 0.6.1",
 "chrono",
 "clap",
 "core-foundation 0.10.1",
@@ -1616,12 +1625,13 @@ dependencies = [
 "lazy_static",
 "libc",
 "log",
+ "lz4_flex",
 "lzma-rs",
 "maxminddb",
 "mime_guess",
 "msi-extract",
 "muda",
- "nix 0.31.1",
+ "nix 0.31.2",
 "objc2",
 "objc2-app-kit",
 "once_cell",
@@ -3178,9 +3188,9 @@ dependencies = [

 [[package]]
 name = "jiff"
-version = "0.2.21"
+version = "0.2.22"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b3e3d65f018c6ae946ab16e80944b97096ed73c35b221d1c478a6c81d8f57940"
+checksum = "819b44bc7c87d9117eb522f14d46e918add69ff12713c475946b0a29363ed1c2"
 dependencies = [
 "jiff-static",
 "log",
@@ -3191,9 +3201,9 @@ dependencies = [

 [[package]]
 name = "jiff-static"
-version = "0.2.21"
+version = "0.2.22"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a17c2b211d863c7fde02cbea8a3c1a439b98e109286554f2860bdded7ff83818"
+checksum = "470252db18ecc35fd766c0891b1e3ec6cbbcd62507e85276c01bf75d8e94d4a1"
 dependencies = [
 "proc-macro2",
 "quote",
@@ -3234,9 +3244,9 @@ dependencies = [

 [[package]]
 name = "js-sys"
-version = "0.3.88"
+version = "0.3.91"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c7e709f3e3d22866f9c25b3aff01af289b18422cc8b4262fb19103ee80fe513d"
+checksum = "b49715b7073f385ba4bc528e5747d02e66cb39c6146efb66b781f131f0fb399c"
 dependencies = [
 "once_cell",
 "wasm-bindgen",
@@ -3341,10 +3351,16 @@ dependencies = [
 ]

 [[package]]
-name = "libc"
-version = "0.2.180"
+name = "libbz2-rs-sys"
+version = "0.2.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "bcc35a38544a891a5f7c865aca548a982ccb3b8650a5b06d0fd33a10283c56fc"
+checksum = "2c4a545a15244c7d945065b5d392b2d2d7f21526fba56ce51467b06ed445e8f7"
+
+[[package]]
+name = "libc"
+version = "0.2.182"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6800badb6cb2082ffd7b6a67e6125bb39f18782f793520caee8cb8846be06112"

 [[package]]
 name = "libfuzzer-sys"
@@ -3374,13 +3390,14 @@ checksum = "b6d2cec3eae94f9f509c767b45932f1ada8350c4bdb85af2fcab4a3c14807981"

 [[package]]
 name = "libredox"
-version = "0.1.12"
+version = "0.1.14"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3d0b95e02c851351f877147b7deea7b1afb1df71b63aa5f8270716e0c5720616"
+checksum = "1744e39d1d6a9948f4f388969627434e31128196de472883b39f148769bfe30a"
 dependencies = [
 "bitflags 2.11.0",
 "libc",
- "redox_syscall 0.7.1",
+ "plain",
+ "redox_syscall 0.7.3",
 ]

 [[package]]
@@ -3415,9 +3432,9 @@ dependencies = [

 [[package]]
 name = "linux-raw-sys"
-version = "0.11.0"
+version = "0.12.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "df1d3c3b53da64cf5760482273a98e575c651a67eec7f77df96b5b642de8f039"
+checksum = "32a66949e030da00e8c7d4434b251670a91556f4144941d37452769c25d58a53"

 [[package]]
 name = "litemap"
@@ -3452,6 +3469,15 @@ dependencies = [
 "imgref",
 ]

+[[package]]
+name = "lz4_flex"
+version = "0.11.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "08ab2867e3eeeca90e844d1940eab391c9dc5228783db2ed999acbc0a9ed375a"
+dependencies = [
+ "twox-hash",
+]
+
 [[package]]
 name = "lzma-rs"
 version = "0.3.0"
@@ -3745,9 +3771,9 @@ dependencies = [

 [[package]]
 name = "nix"
-version = "0.31.1"
+version = "0.31.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "225e7cfe711e0ba79a68baeddb2982723e4235247aefce1482f2f16c27865b66"
+checksum = "5d6d0705320c1e6ba1d912b5e37cf18071b6c2e9b7fa8215a1e8a7651966f5d3"
 dependencies = [
 "bitflags 2.11.0",
 "cfg-if",
@@ -3884,9 +3910,9 @@ dependencies = [

 [[package]]
 name = "objc2"
-version = "0.6.3"
+version = "0.6.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b7c2599ce0ec54857b29ce62166b0ed9b4f6f1a70ccc9a71165b6154caca8c05"
+checksum = "3a12a8ed07aefc768292f076dc3ac8c48f3781c8f2d5851dd3d98950e8c5a89f"
 dependencies = [
 "objc2-encode",
 "objc2-exception-helper",
@@ -4455,9 +4481,9 @@ checksum = "5be167a7af36ee22fe3115051bc51f6e6c7054c9348e28deb4f49bd6f705a315"

 [[package]]
 name = "pin-project-lite"
-version = "0.2.16"
+version = "0.2.17"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3b3cff922bd51709b605d9ead9aa71031d81447142d828eb4a6eba76fe619f9b"
+checksum = "a89322df9ebe1c1578d689c92318e070967d1042b512afbe49518723f4e6d5cd"

 [[package]]
 name = "pin-utils"
@@ -4467,9 +4493,9 @@ checksum = "8b870d8c151b6f2fb93e84a13146138f05d02ed11c7e7c54f8826aaaf7c9f184"

 [[package]]
 name = "piper"
-version = "0.2.4"
+version = "0.2.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "96c8c490f422ef9a4efd2cb5b42b76c8613d7e7dfc1caf667b8a3350a5acc066"
+checksum = "c835479a4443ded371d6c535cbfd8d31ad92c5d23ae9770a61bc155e4992a3c1"
 dependencies = [
 "atomic-waker",
 "fastrand",
@@ -4482,6 +4508,12 @@ version = "0.3.32"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "7edddbd0b52d732b21ad9a5fab5c704c14cd949e5e9a1ec5929a24fded1b904c"

+[[package]]
+name = "plain"
+version = "0.2.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b4596b6d070b27117e987119b4dac604f3c58cfb0b191112e24771b2faeac1a6"
+
 [[package]]
 name = "playwright"
 version = "0.0.23"
@@ -4767,12 +4799,9 @@ dependencies = [

 [[package]]
 name = "pxfm"
-version = "0.1.27"
+version = "0.1.28"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7186d3822593aa4393561d186d1393b3923e9d6163d3fbfd6e825e3e6cf3e6a8"
-dependencies = [
- "num-traits",
-]
+checksum = "b5a041e753da8b807c9255f28de81879c78c876392ff2469cde94799b2896b9d"

 [[package]]
 name = "qoi"
@@ -5026,9 +5055,9 @@ dependencies = [

 [[package]]
 name = "redox_syscall"
-version = "0.7.1"
+version = "0.7.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "35985aa610addc02e24fc232012c86fd11f14111180f902b67e2d5331f8ebf2b"
+checksum = "6ce70a74e890531977d37e532c34d45e9055d2409ed08ddba14529471ed0be16"
 dependencies = [
 "bitflags 2.11.0",
 ]
@@ -5095,9 +5124,9 @@ checksum = "cab834c73d247e67f4fae452806d17d3c7501756d98c8808d7c9c7aa7d18f973"

 [[package]]
 name = "regex-syntax"
-version = "0.8.9"
+version = "0.8.10"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a96887878f22d7bad8a3b6dc5b7440e0ada9a245242924394987b21cf2210a4c"
+checksum = "dc897dd8d9e8bd1ed8cdad82b5966c3e0ecae09fb1907d58efaa013543185d0a"

 [[package]]
 name = "rend"
@@ -5235,9 +5264,9 @@ dependencies = [

 [[package]]
 name = "rgb"
-version = "0.8.52"
+version = "0.8.53"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0c6a884d2998352bb4daf0183589aec883f16a6da1f4dde84d8e2e9a5409a1ce"
+checksum = "47b34b781b31e5d73e9fbc8689c70551fd1ade9a19e3e28cfec8580a79290cc4"
 dependencies = [
 "bytemuck",
 ]
@@ -5362,9 +5391,9 @@ dependencies = [

 [[package]]
 name = "rustix"
-version = "1.1.3"
+version = "1.1.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "146c9e247ccc180c1f61615433868c99f3de3ae256a30a43b49f67c2d9171f34"
+checksum = "b6fe4565b9518b83ef4f91bb47ce29620ca828bd32cb7e408f0062e9930ba190"
 dependencies = [
 "bitflags 2.11.0",
 "errno",
@@ -5375,9 +5404,9 @@ dependencies = [

 [[package]]
 name = "rustls"
-version = "0.23.36"
+version = "0.23.37"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c665f33d38cea657d9614f766881e4d510e0eda4239891eea56b4cadcf01801b"
+checksum = "758025cb5fccfd3bc2fd74708fd4682be41d99e5dff73c377c0646c6012c73a4"
 dependencies = [
 "once_cell",
 "rustls-pki-types",
@@ -5703,9 +5732,9 @@ dependencies = [

 [[package]]
 name = "serde_with"
-version = "3.16.1"
+version = "3.17.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4fa237f2807440d238e0364a218270b98f767a00d3dada77b1c53ae88940e2e7"
+checksum = "381b283ce7bc6b476d903296fb59d0d36633652b633b27f64db4fb46dcbfc3b9"
 dependencies = [
 "base64 0.22.1",
 "chrono",
@@ -5722,9 +5751,9 @@ dependencies = [

 [[package]]
 name = "serde_with_macros"
-version = "3.16.1"
+version = "3.17.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "52a8e3ca0ca629121f70ab50f95249e5a6f925cc0f6ffe8256c45b728875706c"
+checksum = "a6d4e30573c8cb306ed6ab1dca8423eec9a463ea0e155f45399455e0368b27e0"
 dependencies = [
 "darling",
 "proc-macro2",
@@ -6665,9 +6694,9 @@ dependencies = [

 [[package]]
 name = "tempfile"
-version = "3.25.0"
+version = "3.26.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0136791f7c95b1f6dd99f9cc786b91bb81c3800b639b3478e561ddb7be95e5f1"
+checksum = "82a72c767771b47409d2345987fda8628641887d5466101319899796367354a0"
 dependencies = [
 "fastrand",
 "getrandom 0.4.1",
@@ -7160,6 +7189,12 @@ dependencies = [
 "utf-8",
 ]

+[[package]]
+name = "twox-hash"
+version = "2.1.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9ea3136b675547379c4bd395ca6b938e5ad3c3d20fad76e7fe85f9e0d011419c"
+
 [[package]]
 name = "typed-path"
 version = "0.12.3"
@@ -7549,9 +7584,9 @@ dependencies = [

 [[package]]
 name = "wasm-bindgen"
-version = "0.2.111"
+version = "0.2.114"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ec1adf1535672f5b7824f817792b1afd731d7e843d2d04ec8f27e8cb51edd8ac"
+checksum = "6532f9a5c1ece3798cb1c2cfdba640b9b3ba884f5db45973a6f442510a87d38e"
 dependencies = [
 "cfg-if",
 "once_cell",
@@ -7562,9 +7597,9 @@ dependencies = [

 [[package]]
 name = "wasm-bindgen-futures"
-version = "0.4.61"
+version = "0.4.64"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "fe88540d1c934c4ec8e6db0afa536876c5441289d7f9f9123d4f065ac1250a6b"
+checksum = "e9c5522b3a28661442748e09d40924dfb9ca614b21c00d3fd135720e48b67db8"
 dependencies = [
 "cfg-if",
 "futures-util",
@@ -7576,9 +7611,9 @@ dependencies = [

 [[package]]
 name = "wasm-bindgen-macro"
-version = "0.2.111"
+version = "0.2.114"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "19e638317c08b21663aed4d2b9a2091450548954695ff4efa75bff5fa546b3b1"
+checksum = "18a2d50fcf105fb33bb15f00e7a77b772945a2ee45dcf454961fd843e74c18e6"
 dependencies = [
 "quote",
 "wasm-bindgen-macro-support",
@@ -7586,9 +7621,9 @@ dependencies = [

 [[package]]
 name = "wasm-bindgen-macro-support"
-version = "0.2.111"
+version = "0.2.114"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2c64760850114d03d5f65457e96fc988f11f01d38fbaa51b254e4ab5809102af"
+checksum = "03ce4caeaac547cdf713d280eda22a730824dd11e6b8c3ca9e42247b25c631e3"
 dependencies = [
 "bumpalo",
 "proc-macro2",
@@ -7599,9 +7634,9 @@ dependencies = [

 [[package]]
 name = "wasm-bindgen-shared"
-version = "0.2.111"
+version = "0.2.114"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "60eecd4fe26177cfa3339eb00b4a36445889ba3ad37080c2429879718e20ca41"
+checksum = "75a326b8c223ee17883a4251907455a2431acc2791c98c26279376490c378c16"
 dependencies = [
 "unicode-ident",
 ]
@@ -7655,9 +7690,9 @@ dependencies = [

 [[package]]
 name = "web-sys"
-version = "0.3.88"
+version = "0.3.91"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9d6bb20ed2d9572df8584f6dc81d68a41a625cadc6f15999d649a70ce7e3597a"
+checksum = "854ba17bb104abfb26ba36da9729addc7ce7f06f5c0f90f3c391f8461cca21f9"
 dependencies = [
 "js-sys",
 "wasm-bindgen",
@@ -8605,18 +8640,18 @@ dependencies = [

 [[package]]
 name = "zerocopy"
-version = "0.8.39"
+version = "0.8.40"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "db6d35d663eadb6c932438e763b262fe1a70987f9ae936e60158176d710cae4a"
+checksum = "a789c6e490b576db9f7e6b6d661bcc9799f7c0ac8352f56ea20193b2681532e5"
 dependencies = [
 "zerocopy-derive",
 ]

 [[package]]
 name = "zerocopy-derive"
-version = "0.8.39"
+version = "0.8.40"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4122cd3169e94605190e77839c9a40d40ed048d305bfdc146e7df40ab0f3e517"
+checksum = "f65c489a7071a749c849713807783f70672b28094011623e200cb86dcb835953"
 dependencies = [
 "proc-macro2",
 "quote",
@@ -8705,7 +8740,7 @@ checksum = "fabe6324e908f85a1c52063ce7aa26b68dcb7eb6dbc83a2d148403c9bc3eba50"
 dependencies = [
 "aes",
 "arbitrary",
- "bzip2",
+ "bzip2 0.5.2",
 "constant_time_eq 0.3.1",
 "crc32fast",
 "crossbeam-utils",
@@ -100,6 +100,7 @@ maxminddb = "0.27"
 quick-xml = { version = "0.39", features = ["serialize"] }

 # VPN support
+lz4_flex = "0.11"
 boringtun = "0.7"
 smoltcp = { version = "0.11", default-features = false, features = ["std", "medium-ip", "proto-ipv4", "proto-ipv6", "socket-tcp", "socket-udp"] }

@@ -39,6 +39,7 @@ pub struct ApiProfile {
  pub group_id: Option<String>,
  pub tags: Vec<String>,
  pub is_running: bool,
+  pub proxy_bypass_rules: Vec<String>,
 }

 #[derive(Debug, Serialize, Deserialize, ToSchema)]
@@ -78,6 +79,8 @@ pub struct UpdateProfileRequest {
  pub camoufox_config: Option<serde_json::Value>,
  pub group_id: Option<String>,
  pub tags: Option<Vec<String>>,
+  pub extension_group_id: Option<String>,
+  pub proxy_bypass_rules: Option<Vec<String>>,
 }

 #[derive(Clone)]
@@ -295,30 +298,23 @@ impl ApiServer {

    // Create router with OpenAPI documentation
    let (v1_routes, _) = OpenApiRouter::new()
-      .routes(routes!(
-        get_profiles,
-        create_profile,
-        get_profile,
-        update_profile,
-        delete_profile,
-        run_profile,
-        open_url_in_profile,
-        kill_profile,
-        get_groups,
-        create_group,
-        get_group,
-        update_group,
-        delete_group,
-        get_tags,
-        get_proxies,
-        create_proxy,
-        get_proxy,
-        update_proxy,
-        delete_proxy,
-        download_browser_api,
-        get_browser_versions,
-        check_browser_downloaded,
-      ))
+      .routes(routes!(get_profiles, create_profile))
+      .routes(routes!(get_profile, update_profile, delete_profile))
+      .routes(routes!(run_profile))
+      .routes(routes!(open_url_in_profile))
+      .routes(routes!(kill_profile))
+      .routes(routes!(get_groups, create_group))
+      .routes(routes!(get_group, update_group, delete_group))
+      .routes(routes!(get_tags))
+      .routes(routes!(get_proxies, create_proxy))
+      .routes(routes!(get_proxy, update_proxy, delete_proxy))
+      .routes(routes!(get_extensions))
+      .routes(routes!(delete_extension_api))
+      .routes(routes!(get_extension_groups))
+      .routes(routes!(delete_extension_group_api))
+      .routes(routes!(download_browser_api))
+      .routes(routes!(get_browser_versions))
+      .routes(routes!(check_browser_downloaded))
      .split_for_parts();

    let api = ApiDoc::openapi();
@@ -493,6 +489,7 @@ async fn get_profiles() -> Result<Json<ApiProfilesResponse>, StatusCode> {
          group_id: profile.group_id.clone(),
          tags: profile.tags.clone(),
          is_running: profile.process_id.is_some(), // Simple check based on process_id
+          proxy_bypass_rules: profile.proxy_bypass_rules.clone(),
        })
        .collect();

@@ -547,6 +544,7 @@ async fn get_profile(
            group_id: profile.group_id.clone(),
            tags: profile.tags.clone(),
            is_running: profile.process_id.is_some(), // Simple check based on process_id
+            proxy_bypass_rules: profile.proxy_bypass_rules.clone(),
          },
        }))
      } else {
@@ -645,6 +643,7 @@ async fn create_profile(
          group_id: profile.group_id,
          tags: profile.tags,
          is_running: false,
+          proxy_bypass_rules: profile.proxy_bypass_rules,
        },
      }))
    }
@@ -748,6 +747,29 @@ async fn update_profile(
    }
  }

+  if let Some(extension_group_id) = request.extension_group_id {
+    let ext_group = if extension_group_id.is_empty() {
+      None
+    } else {
+      Some(extension_group_id)
+    };
+    if profile_manager
+      .update_profile_extension_group(&id, ext_group)
+      .is_err()
+    {
+      return Err(StatusCode::BAD_REQUEST);
+    }
+  }
+
+  if let Some(proxy_bypass_rules) = request.proxy_bypass_rules {
+    if profile_manager
+      .update_profile_proxy_bypass_rules(&state.app_handle, &id, proxy_bypass_rules)
+      .is_err()
+    {
+      return Err(StatusCode::BAD_REQUEST);
+    }
+  }
+
  // Return updated profile
  get_profile(Path(id), State(state)).await
 }
@@ -1153,6 +1175,94 @@ async fn delete_proxy(
  }
 }

+// Extension API endpoints
+
+#[utoipa::path(
+  get,
+  path = "/v1/extensions",
+  responses(
+    (status = 200, description = "List of extensions"),
+    (status = 401, description = "Unauthorized"),
+  ),
+  security(("bearer_auth" = [])),
+  tag = "extensions"
+)]
+async fn get_extensions(
+  State(_state): State<ApiServerState>,
+) -> Result<Json<Vec<crate::extension_manager::Extension>>, StatusCode> {
+  let mgr = crate::extension_manager::EXTENSION_MANAGER.lock().unwrap();
+  mgr
+    .list_extensions()
+    .map(Json)
+    .map_err(|_| StatusCode::INTERNAL_SERVER_ERROR)
+}
+
+#[utoipa::path(
+  get,
+  path = "/v1/extension-groups",
+  responses(
+    (status = 200, description = "List of extension groups"),
+    (status = 401, description = "Unauthorized"),
+  ),
+  security(("bearer_auth" = [])),
+  tag = "extensions"
+)]
+async fn get_extension_groups(
+  State(_state): State<ApiServerState>,
+) -> Result<Json<Vec<crate::extension_manager::ExtensionGroup>>, StatusCode> {
+  let mgr = crate::extension_manager::EXTENSION_MANAGER.lock().unwrap();
+  mgr
+    .list_groups()
+    .map(Json)
+    .map_err(|_| StatusCode::INTERNAL_SERVER_ERROR)
+}
+
+#[utoipa::path(
+  delete,
+  path = "/v1/extensions/{id}",
+  params(("id" = String, Path, description = "Extension ID")),
+  responses(
+    (status = 204, description = "Extension deleted"),
+    (status = 401, description = "Unauthorized"),
+    (status = 404, description = "Extension not found"),
+  ),
+  security(("bearer_auth" = [])),
+  tag = "extensions"
+)]
+async fn delete_extension_api(
+  Path(id): Path<String>,
+  State(state): State<ApiServerState>,
+) -> Result<StatusCode, StatusCode> {
+  let mgr = crate::extension_manager::EXTENSION_MANAGER.lock().unwrap();
+  mgr
+    .delete_extension(&state.app_handle, &id)
+    .map(|_| StatusCode::NO_CONTENT)
+    .map_err(|_| StatusCode::NOT_FOUND)
+}
+
+#[utoipa::path(
+  delete,
+  path = "/v1/extension-groups/{id}",
+  params(("id" = String, Path, description = "Extension Group ID")),
+  responses(
+    (status = 204, description = "Extension group deleted"),
+    (status = 401, description = "Unauthorized"),
+    (status = 404, description = "Extension group not found"),
+  ),
+  security(("bearer_auth" = [])),
+  tag = "extensions"
+)]
+async fn delete_extension_group_api(
+  Path(id): Path<String>,
+  State(state): State<ApiServerState>,
+) -> Result<StatusCode, StatusCode> {
+  let mgr = crate::extension_manager::EXTENSION_MANAGER.lock().unwrap();
+  mgr
+    .delete_group(&state.app_handle, &id)
+    .map(|_| StatusCode::NO_CONTENT)
+    .map_err(|_| StatusCode::NOT_FOUND)
+}
+
 // API Handler - Run Profile with Remote Debugging
 #[utoipa::path(
  post,
@@ -1195,6 +1305,11 @@ async fn run_profile(
    return Err(StatusCode::BAD_REQUEST);
  }

+  // Team lock check
+  crate::team_lock::acquire_team_lock_if_needed(profile)
+    .await
+    .map_err(|_| StatusCode::CONFLICT)?;
+
  // Generate a random port for remote debugging
  let remote_debugging_port = rand::random::<u16>().saturating_add(9000).max(9000);

@@ -1289,6 +1404,8 @@ async fn kill_profile(
    .await
    .map_err(|_| StatusCode::INTERNAL_SERVER_ERROR)?;

+  crate::team_lock::release_team_lock_if_needed(profile).await;
+
  Ok(StatusCode::NO_CONTENT)
 }

@@ -744,13 +744,36 @@ impl AppAutoUpdater {
    log::info!("Extracting update...");
    let extracted_app_path = self.extract_update(&download_path, &temp_dir).await?;

-    log::info!("Installing update (overwriting binary)...");
-    self.install_update(&extracted_app_path).await?;
+    // On Windows, MSI/EXE installers close the running app, so running them now
+    // would kill the process before the "Update ready" toast can appear. Instead,
+    // defer execution to restart_application() when the user clicks "Restart Now".
+    #[cfg(target_os = "windows")]
+    {
+      let ext = extracted_app_path
+        .extension()
+        .and_then(|e| e.to_str())
+        .unwrap_or("")
+        .to_lowercase();
+      if ext == "msi" || ext == "exe" {
+        log::info!("Deferring Windows installer execution until user-initiated restart");
+        *PENDING_INSTALLER_PATH.lock().unwrap() = Some(extracted_app_path);
+      } else {
+        log::info!("Installing update (overwriting binary)...");
+        self.install_update(&extracted_app_path).await?;
+        log::info!("Cleaning up temporary files...");
+        let _ = fs::remove_dir_all(&temp_dir);
+      }
+    }

-    log::info!("Cleaning up temporary files...");
-    let _ = fs::remove_dir_all(&temp_dir);
+    #[cfg(not(target_os = "windows"))]
+    {
+      log::info!("Installing update (overwriting binary)...");
+      self.install_update(&extracted_app_path).await?;
+      log::info!("Cleaning up temporary files...");
+      let _ = fs::remove_dir_all(&temp_dir);
+    }

-    log::info!("Update installed successfully, emitting app-update-ready event");
+    log::info!("Update ready, emitting app-update-ready event");

    let _ = events::emit("app-update-ready", update_info.new_version.clone());

@@ -1421,14 +1444,63 @@ rm "{}"
    {
      let app_path = self.get_current_app_path()?;
      let current_pid = std::process::id();
+      let pending = PENDING_INSTALLER_PATH.lock().unwrap().take();

-      // Create a temporary restart batch script
      let temp_dir = std::env::temp_dir();
      let script_path = temp_dir.join("donut_restart.bat");
+      let update_temp_dir = temp_dir.join("donut_app_update");

-      // Create the restart script content
-      let script_content = format!(
-        r#"@echo off
+      let script_content = if let Some(installer_path) = pending {
+        let ext = installer_path
+          .extension()
+          .and_then(|e| e.to_str())
+          .unwrap_or("")
+          .to_lowercase();
+        let install_cmd = match ext.as_str() {
+          "msi" => format!(
+            "msiexec /i \"{}\" /quiet /norestart REBOOT=ReallySuppress",
+            installer_path.to_str().unwrap()
+          ),
+          "exe" => format!("\"{}\" /S", installer_path.to_str().unwrap()),
+          _ => String::new(),
+        };
+
+        format!(
+          r#"@echo off
+rem Wait for the current process to exit
+:wait_loop
+tasklist /fi "PID eq {pid}" >nul 2>&1
+if %errorlevel% equ 0 (
+    timeout /t 1 /nobreak >nul
+    goto wait_loop
+)
+
+rem Wait a bit more to ensure clean exit
+timeout /t 2 /nobreak >nul
+
+rem Run the installer
+{install_cmd}
+
+rem Wait for installation to complete
+timeout /t 3 /nobreak >nul
+
+rem Start the new application
+start "" "{app_path}"
+
+rem Clean up installer temp files
+rmdir /s /q "{update_temp}"
+
+rem Clean up this script
+del "%~f0"
+"#,
+          pid = current_pid,
+          install_cmd = install_cmd,
+          app_path = app_path.to_str().unwrap(),
+          update_temp = update_temp_dir.to_str().unwrap(),
+        )
+      } else {
+        format!(
+          r#"@echo off
 rem Wait for the current process to exit
 :wait_loop
 tasklist /fi "PID eq {}" >nul 2>&1
@@ -1446,24 +1518,20 @@ start "" "{}"
 rem Clean up this script
 del "%~f0"
 "#,
-        current_pid,
-        app_path.to_str().unwrap()
-      );
+          current_pid,
+          app_path.to_str().unwrap()
+        )
+      };

-      // Write the script to file
      fs::write(&script_path, script_content)?;

-      // Execute the restart script in the background
      let mut cmd = Command::new("cmd");
      cmd.args(["/C", script_path.to_str().unwrap()]);

-      // Start the process detached
      let _child = cmd.spawn()?;

-      // Give the script a moment to start
      tokio::time::sleep(tokio::time::Duration::from_millis(500)).await;

-      // Exit the current process
      std::process::exit(0);
    }

@@ -1926,4 +1994,5 @@ mod tests {
 // Global singleton instance
 lazy_static::lazy_static! {
  static ref APP_AUTO_UPDATER: AppAutoUpdater = AppAutoUpdater::new();
+  static ref PENDING_INSTALLER_PATH: std::sync::Mutex<Option<PathBuf>> = std::sync::Mutex::new(None);
 }
@@ -70,6 +70,10 @@ pub fn vpn_dir() -> PathBuf {
  data_dir().join("vpn")
 }

+pub fn extensions_dir() -> PathBuf {
+  data_dir().join("extensions")
+}
+
 #[cfg(test)]
 thread_local! {
  static TEST_DATA_DIR: std::cell::RefCell<Option<PathBuf>> = const { std::cell::RefCell::new(None) };
@@ -152,6 +156,7 @@ mod tests {
    assert!(settings_dir().ends_with("settings"));
    assert!(proxies_dir().ends_with("proxies"));
    assert!(vpn_dir().ends_with("vpn"));
+    assert!(extensions_dir().ends_with("extensions"));
  }

  #[test]
@@ -61,6 +61,10 @@ impl AutoUpdater {
    let mut browser_profiles: HashMap<String, Vec<BrowserProfile>> = HashMap::new();

    for profile in profiles {
+      if profile.is_cross_os() {
+        continue;
+      }
+
      // Only check supported browsers
      if !self
        .browser_version_manager
@@ -313,6 +317,10 @@ impl AutoUpdater {
    // Find all profiles for this browser that should be updated
    for profile in profiles {
      if profile.browser == browser {
+        if profile.is_cross_os() {
+          continue;
+        }
+
        // Check if profile is currently running
        if profile.process_id.is_some() {
          continue; // Skip running profiles
@@ -515,6 +523,10 @@ mod tests {
      last_sync: None,
      host_os: None,
      ephemeral: false,
+      extension_group_id: None,
+      proxy_bypass_rules: Vec::new(),
+      created_by_id: None,
+      created_by_email: None,
    }
  }

@@ -316,6 +316,20 @@ fn run_daemon() {
      }
      Event::Reopen { .. } => {
        tray::open_gui();
+
+        // Re-hide daemon from Dock. macOS activates the daemon (making it
+        // visible) when the user clicks the Dock icon, overriding the
+        // Accessory policy set at init.
+        #[cfg(target_os = "macos")]
+        {
+          use objc2::MainThreadMarker;
+          use objc2_app_kit::{NSApplication, NSApplicationActivationPolicy};
+
+          if let Some(mtm) = MainThreadMarker::new() {
+            let app = NSApplication::sharedApplication(mtm);
+            app.setActivationPolicy(NSApplicationActivationPolicy::Accessory);
+          }
+        }
      }
      _ => {}
    }
@@ -147,6 +147,11 @@ async fn main() {
              Arg::new("profile-id")
                .long("profile-id")
                .help("ID of the profile this proxy is associated with"),
+            )
+            .arg(
+              Arg::new("bypass-rules")
+                .long("bypass-rules")
+                .help("JSON array of bypass rules (hostnames, IPs, or regex patterns)"),
            ),
        )
        .subcommand(
@@ -217,8 +222,12 @@ async fn main() {

      let port = start_matches.get_one::<u16>("port").copied();
      let profile_id = start_matches.get_one::<String>("profile-id").cloned();
+      let bypass_rules: Vec<String> = start_matches
+        .get_one::<String>("bypass-rules")
+        .and_then(|s| serde_json::from_str(s).ok())
+        .unwrap_or_default();

-      match start_proxy_process_with_profile(upstream_url, port, profile_id).await {
+      match start_proxy_process_with_profile(upstream_url, port, profile_id, bypass_rules).await {
        Ok(config) => {
          // Output the configuration as JSON for the Rust side to parse
          // Use println! here because this needs to go to stdout for parsing
@@ -1,5 +1,6 @@
 use crate::browser::{create_browser, BrowserType, ProxySettings};
 use crate::camoufox_manager::{CamoufoxConfig, CamoufoxManager};
+use crate::cloud_auth::CLOUD_AUTH;
 use crate::downloaded_browsers_registry::DownloadedBrowsersRegistry;
 use crate::events;
 use crate::platform_browser;
@@ -37,6 +38,17 @@ impl BrowserRunner {
    crate::app_dirs::binaries_dir()
  }

+  /// Refresh cloud proxy credentials if the profile uses a cloud or cloud-derived proxy,
+  /// then resolve the proxy settings.
+  async fn resolve_proxy_with_refresh(&self, proxy_id: Option<&String>) -> Option<ProxySettings> {
+    let proxy_id = proxy_id?;
+    if PROXY_MANAGER.is_cloud_or_derived(proxy_id) {
+      log::info!("Refreshing cloud proxy credentials before launch for proxy {proxy_id}");
+      CLOUD_AUTH.sync_cloud_proxy().await;
+    }
+    PROXY_MANAGER.get_proxy_settings_by_id(proxy_id)
+  }
+
  /// Get the executable path for a browser profile
  /// This is a common helper to eliminate code duplication across the codebase
  pub fn get_browser_executable_path(
@@ -92,10 +104,10 @@ impl BrowserRunner {
      });

      // Always start a local proxy for Camoufox (for traffic monitoring and geoip support)
-      let mut upstream_proxy = profile
-        .proxy_id
-        .as_ref()
-        .and_then(|id| PROXY_MANAGER.get_proxy_settings_by_id(id));
+      // Refresh cloud proxy credentials if needed before resolving
+      let mut upstream_proxy = self
+        .resolve_proxy_with_refresh(profile.proxy_id.as_ref())
+        .await;

      // If profile has a VPN instead of proxy, start VPN worker and use it as upstream
      if upstream_proxy.is_none() {
@@ -138,6 +150,7 @@ impl BrowserRunner {
          upstream_proxy.as_ref(),
          0, // Use 0 as temporary PID, will be updated later
          Some(&profile_id_str),
+          profile.proxy_bypass_rules.clone(),
        )
        .await
        .map_err(|e| {
@@ -210,14 +223,6 @@ impl BrowserRunner {
        );
      }

-      // Ensure DuckDuckGo is set as default search engine for Camoufox
-      let mut browser_dir = self.get_binaries_dir();
-      browser_dir.push(&profile.browser);
-      browser_dir.push(&profile.version);
-      if let Err(e) = crate::downloader::configure_camoufox_search_engine(&browser_dir) {
-        log::warn!("Failed to configure Camoufox search engine: {e}");
-      }
-
      // Create ephemeral dir for ephemeral profiles
      let override_profile_path = if profile.ephemeral {
        let dir = crate::ephemeral_dirs::create_ephemeral_dir(&profile.id.to_string())
@@ -227,6 +232,31 @@ impl BrowserRunner {
        None
      };

+      // Install extensions if an extension group is assigned
+      if updated_profile.extension_group_id.is_some() {
+        let profiles_dir = self.profile_manager.get_profiles_dir();
+        let ext_profile_path = if let Some(ref override_path) = override_profile_path {
+          override_path.clone()
+        } else {
+          updated_profile.get_profile_data_path(&profiles_dir)
+        };
+        let mgr = crate::extension_manager::EXTENSION_MANAGER.lock().unwrap();
+        match mgr.install_extensions_for_profile(&updated_profile, &ext_profile_path) {
+          Ok(paths) => {
+            if !paths.is_empty() {
+              log::info!(
+                "Installed {} Firefox extensions for profile: {}",
+                paths.len(),
+                updated_profile.name
+              );
+            }
+          }
+          Err(e) => {
+            log::warn!("Failed to install extensions for Camoufox profile: {e}");
+          }
+        }
+      }
+
      // Launch Camoufox browser
      log::info!("Launching Camoufox for profile: {}", profile.name);
      let camoufox_result = self
@@ -332,10 +362,10 @@ impl BrowserRunner {
      });

      // Always start a local proxy for Wayfern (for traffic monitoring and geoip support)
-      let mut upstream_proxy = profile
-        .proxy_id
-        .as_ref()
-        .and_then(|id| PROXY_MANAGER.get_proxy_settings_by_id(id));
+      // Refresh cloud proxy credentials if needed before resolving
+      let mut upstream_proxy = self
+        .resolve_proxy_with_refresh(profile.proxy_id.as_ref())
+        .await;

      // If profile has a VPN instead of proxy, start VPN worker and use it as upstream
      if upstream_proxy.is_none() {
@@ -378,6 +408,7 @@ impl BrowserRunner {
          upstream_proxy.as_ref(),
          0, // Use 0 as temporary PID, will be updated later
          Some(&profile_id_str),
+          profile.proxy_bypass_rules.clone(),
        )
        .await
        .map_err(|e| {
@@ -455,6 +486,27 @@ impl BrowserRunner {
        crate::ephemeral_dirs::get_effective_profile_path(&updated_profile, &profiles_dir);
      let profile_path_str = profile_data_path.to_string_lossy().to_string();

+      // Install extensions if an extension group is assigned
+      let mut extension_paths = Vec::new();
+      if updated_profile.extension_group_id.is_some() {
+        let mgr = crate::extension_manager::EXTENSION_MANAGER.lock().unwrap();
+        match mgr.install_extensions_for_profile(&updated_profile, &profile_data_path) {
+          Ok(paths) => {
+            if !paths.is_empty() {
+              log::info!(
+                "Prepared {} Chromium extensions for profile: {}",
+                paths.len(),
+                updated_profile.name
+              );
+            }
+            extension_paths = paths;
+          }
+          Err(e) => {
+            log::warn!("Failed to install extensions for Wayfern profile: {e}");
+          }
+        }
+      }
+
      // Get proxy URL from config
      let proxy_url = wayfern_config.proxy.as_deref();

@@ -468,6 +520,7 @@ impl BrowserRunner {
          url.as_deref(),
          proxy_url,
          profile.ephemeral,
+          &extension_paths,
        )
        .await
        .map_err(|e| -> Box<dyn std::error::Error + Send + Sync> {
@@ -567,11 +620,10 @@ impl BrowserRunner {
      // Continue anyway, the error might not be critical
    }

-    // Get stored proxy settings for later use (removed as we handle this in proxy startup)
-    let _stored_proxy_settings = profile
-      .proxy_id
-      .as_ref()
-      .and_then(|id| PROXY_MANAGER.get_proxy_settings_by_id(id));
+    // Refresh cloud proxy credentials if needed before resolving
+    let _stored_proxy_settings = self
+      .resolve_proxy_with_refresh(profile.proxy_id.as_ref())
+      .await;

    // Use provided local proxy for Chromium-based browsers launch arguments
    let proxy_for_launch_args: Option<&ProxySettings> = local_proxy_settings;
@@ -1041,6 +1093,7 @@ impl BrowserRunner {
        upstream_proxy.as_ref(),
        temp_pid,
        Some(&profile_id_str),
+        profile.proxy_bypass_rules.clone(),
      )
      .await
      .map_err(|e| {
@@ -1348,7 +1401,11 @@ impl BrowserRunner {
                    #[cfg(target_os = "linux")]
                    {
                      use crate::platform_browser;
-                      if let Err(e) = platform_browser::linux::kill_browser_process_impl(pid).await
+                      if let Err(e) = platform_browser::linux::kill_browser_process_impl(
+                        pid,
+                        Some(&profile_path_str),
+                      )
+                      .await
                      {
                        log::error!("Failed to force kill Camoufox process {}: {}", pid, e);
                      } else {
@@ -1429,7 +1486,12 @@ impl BrowserRunner {
                  #[cfg(target_os = "linux")]
                  {
                    use crate::platform_browser;
-                    if let Err(e) = platform_browser::linux::kill_browser_process_impl(pid).await {
+                    if let Err(e) = platform_browser::linux::kill_browser_process_impl(
+                      pid,
+                      Some(&profile_path_str),
+                    )
+                    .await
+                    {
                      log::error!("Failed to force kill Camoufox process {}: {}", pid, e);
                    } else {
                      // Verify the process is actually dead after force kill
@@ -1517,7 +1579,8 @@ impl BrowserRunner {
                {
                  use crate::platform_browser;
                  if let Err(kill_err) =
-                    platform_browser::linux::kill_browser_process_impl(pid).await
+                    platform_browser::linux::kill_browser_process_impl(pid, Some(&profile_path_str))
+                      .await
                  {
                    log::error!(
                      "Failed to force kill Camoufox process {}: {}",
@@ -1787,7 +1850,12 @@ impl BrowserRunner {
                  #[cfg(target_os = "linux")]
                  {
                    use crate::platform_browser;
-                    if let Err(e) = platform_browser::linux::kill_browser_process_impl(pid).await {
+                    if let Err(e) = platform_browser::linux::kill_browser_process_impl(
+                      pid,
+                      Some(&profile_path_str),
+                    )
+                    .await
+                    {
                      log::error!("Failed to force kill Wayfern process {}: {}", pid, e);
                    } else {
                      sleep(Duration::from_millis(500)).await;
@@ -1858,7 +1926,8 @@ impl BrowserRunner {
                {
                  use crate::platform_browser;
                  if let Err(kill_err) =
-                    platform_browser::linux::kill_browser_process_impl(pid).await
+                    platform_browser::linux::kill_browser_process_impl(pid, Some(&profile_path_str))
+                      .await
                  {
                    log::error!("Failed to force kill Wayfern process {}: {}", pid, kill_err);
                  } else {
@@ -2155,7 +2224,12 @@ impl BrowserRunner {
    platform_browser::windows::kill_browser_process_impl(pid).await?;

    #[cfg(target_os = "linux")]
-    platform_browser::linux::kill_browser_process_impl(pid).await?;
+    {
+      let profiles_dir = self.profile_manager.get_profiles_dir();
+      let profile_data_path = profile.get_profile_data_path(&profiles_dir);
+      let profile_path_str = profile_data_path.to_string_lossy().to_string();
+      platform_browser::linux::kill_browser_process_impl(pid, Some(&profile_path_str)).await?;
+    }

    #[cfg(not(any(target_os = "macos", target_os = "windows", target_os = "linux")))]
    return Err("Unsupported platform".into());
@@ -2462,6 +2536,9 @@ pub async fn launch_browser_profile(
    ));
  }

+  // Team lock check: if profile is sync-enabled and user is on a team, acquire lock
+  crate::team_lock::acquire_team_lock_if_needed(&profile).await?;
+
  let browser_runner = BrowserRunner::instance();

  // Store the internal proxy settings for passing to launch_browser
@@ -2532,6 +2609,7 @@ pub async fn launch_browser_profile(
        upstream_proxy.as_ref(),
        temp_pid,
        Some(&profile_id_str),
+        profile_for_launch.proxy_bypass_rules.clone(),
      )
      .await
    {
@@ -2664,6 +2742,56 @@ pub async fn kill_browser_profile(
        profile.name,
        profile.id
      );
+
+      // Release team lock if applicable
+      crate::team_lock::release_team_lock_if_needed(&profile).await;
+
+      // Auto-update non-running profiles and cleanup unused binaries
+      let browser_for_update = profile.browser.clone();
+      let app_handle_for_update = app_handle.clone();
+      tauri::async_runtime::spawn(async move {
+        let registry = crate::downloaded_browsers_registry::DownloadedBrowsersRegistry::instance();
+        let mut versions = registry.get_downloaded_versions(&browser_for_update);
+        if !versions.is_empty() {
+          versions.sort_by(|a, b| crate::api_client::compare_versions(b, a));
+          let latest_version = &versions[0];
+
+          let auto_updater = crate::auto_updater::AutoUpdater::instance();
+          match auto_updater
+            .auto_update_profile_versions(
+              &app_handle_for_update,
+              &browser_for_update,
+              latest_version,
+            )
+            .await
+          {
+            Ok(updated) => {
+              if !updated.is_empty() {
+                log::info!(
+                  "Auto-updated {} profiles after stop: {:?}",
+                  updated.len(),
+                  updated
+                );
+              }
+            }
+            Err(e) => {
+              log::error!("Failed to auto-update profile versions after stop: {e}");
+            }
+          }
+        }
+
+        match registry.cleanup_unused_binaries() {
+          Ok(cleaned) => {
+            if !cleaned.is_empty() {
+              log::info!("Cleaned up unused binaries after stop: {:?}", cleaned);
+            }
+          }
+          Err(e) => {
+            log::error!("Failed to cleanup unused binaries after stop: {e}");
+          }
+        }
+      });
+
      Ok(())
    }
    Err(e) => {
@@ -628,6 +628,9 @@ impl CamoufoxManager {
      }
    }

+    // Write search.json.mozlz4 with default search engines (DuckDuckGo + Google)
+    write_default_search_config(&profile_path);
+
    self
      .launch_camoufox(
        &app_handle,
@@ -641,6 +644,77 @@ impl CamoufoxManager {
  }
 }

+fn write_default_search_config(profile_path: &std::path::Path) {
+  let search_file = profile_path.join("search.json.mozlz4");
+  if search_file.exists() {
+    return;
+  }
+
+  let json = serde_json::json!({
+    "version": 6,
+    "engines": [
+      {
+        "_name": "DuckDuckGo",
+        "_isAppProvided": false,
+        "_metaData": { "order": 1 },
+        "_urls": [
+          {
+            "template": "https://duckduckgo.com/?q={searchTerms}",
+            "type": "text/html",
+            "params": []
+          },
+          {
+            "template": "https://duckduckgo.com/ac/?q={searchTerms}&type=list",
+            "type": "application/x-suggestions+json",
+            "params": []
+          }
+        ],
+        "_iconURL": "https://duckduckgo.com/favicon.ico"
+      },
+      {
+        "_name": "Google",
+        "_isAppProvided": false,
+        "_metaData": { "order": 2 },
+        "_urls": [
+          {
+            "template": "https://www.google.com/search?q={searchTerms}",
+            "type": "text/html",
+            "params": []
+          },
+          {
+            "template": "https://www.google.com/complete/search?client=firefox&q={searchTerms}",
+            "type": "application/x-suggestions+json",
+            "params": []
+          }
+        ],
+        "_iconURL": "https://www.google.com/favicon.ico"
+      }
+    ],
+    "metaData": {
+      "useSavedOrder": false,
+      "defaultEngineId": "DuckDuckGo"
+    }
+  });
+
+  let json_bytes = match serde_json::to_vec(&json) {
+    Ok(bytes) => bytes,
+    Err(e) => {
+      log::warn!("Failed to serialize search config: {e}");
+      return;
+    }
+  };
+
+  let magic = b"mozLz40\0";
+  let compressed = lz4_flex::block::compress_prepend_size(&json_bytes);
+  let mut output = Vec::with_capacity(magic.len() + compressed.len());
+  output.extend_from_slice(magic);
+  output.extend_from_slice(&compressed);
+
+  if let Err(e) = std::fs::write(&search_file, &output) {
+    log::warn!("Failed to write search.json.mozlz4: {e}");
+  }
+}
+
 #[cfg(test)]
 mod tests {
  use super::*;
@@ -37,6 +37,14 @@ pub struct CloudUser {
  pub proxy_bandwidth_limit_mb: i64,
  #[serde(rename = "proxyBandwidthUsedMb")]
  pub proxy_bandwidth_used_mb: i64,
+  #[serde(rename = "proxyBandwidthExtraMb", default)]
+  pub proxy_bandwidth_extra_mb: i64,
+  #[serde(rename = "teamId", default)]
+  pub team_id: Option<String>,
+  #[serde(rename = "teamName", default)]
+  pub team_name: Option<String>,
+  #[serde(rename = "teamRole", default)]
+  pub team_role: Option<String>,
 }

 #[derive(Debug, Clone, Serialize, Deserialize)]
@@ -247,7 +255,7 @@ impl CloudAuthManager {
    Self::encrypt_and_store(&path, b"DBCAT", token)
  }

-  fn load_access_token() -> Result<Option<String>, String> {
+  pub(crate) fn load_access_token() -> Result<Option<String>, String> {
    let path = Self::get_settings_dir().join("cloud_access_token.dat");
    Self::decrypt_from_file(&path, b"DBCAT")
  }
@@ -570,6 +578,9 @@ impl CloudAuthManager {
  }

  pub async fn logout(&self) -> Result<(), String> {
+    // Disconnect team lock manager
+    crate::team_lock::TEAM_LOCK.disconnect().await;
+
    // Try to call the logout API (best-effort)
    if let Ok(Some(access_token)) = Self::load_access_token() {
      let refresh_token = Self::load_refresh_token().ok().flatten();
@@ -635,6 +646,13 @@ impl CloudAuthManager {
    }
  }

+  pub async fn is_on_team_plan(&self) -> bool {
+    if let Some(state) = self.get_user().await {
+      return state.user.team_id.is_some();
+    }
+    false
+  }
+
  pub async fn get_user(&self) -> Option<CloudAuthState> {
    let state = self.state.lock().await;
    state.clone()
@@ -933,6 +951,13 @@ impl CloudAuthManager {
        log::debug!("Failed to refresh cloud profile: {e}");
      }

+      // Reconnect team lock manager if needed
+      if let Some(auth_state) = CLOUD_AUTH.get_user().await {
+        if let Some(tid) = &auth_state.user.team_id {
+          crate::team_lock::TEAM_LOCK.connect(tid).await;
+        }
+      }
+
      // Sync cloud proxy credentials
      CLOUD_AUTH.sync_cloud_proxy().await;

@@ -976,6 +1001,13 @@ pub async fn cloud_verify_otp(
  // Sync cloud proxy after login
  CLOUD_AUTH.sync_cloud_proxy().await;

+  // Connect team lock manager if on a team plan
+  if state.user.team_id.is_some() {
+    if let Some(tid) = &state.user.team_id {
+      crate::team_lock::TEAM_LOCK.connect(tid).await;
+    }
+  }
+
  let _ = crate::events::emit_empty("cloud-auth-changed");

  let _ = &app_handle;
@@ -74,18 +74,20 @@ fn get_app_bundle_path() -> Option<std::path::PathBuf> {
 pub fn open_gui() {
  log::info!("Opening GUI...");

-  // On macOS, use `open` WITHOUT `-n`. The daemon runs with Accessory
-  // activation policy so macOS won't confuse it with the GUI process.
-  // `open` will either activate the existing GUI or launch a new one.
-  // Using `-n` would bypass the single-instance plugin entirely.
  #[cfg(target_os = "macos")]
  {
-    // Use `open -n` to force launching a new process. Without `-n`, macOS
-    // re-activates the daemon (the existing process from the bundle) instead
-    // of launching the GUI binary. The single-instance Tauri plugin in the
-    // GUI handles deduplication if a GUI instance is already running.
+    // Launch the GUI binary directly. The daemon lives inside the same .app
+    // bundle, so `open` (even with `-n`) can re-activate the daemon instead
+    // of launching the GUI. Directly running the binary avoids macOS's app
+    // activation machinery. The single-instance Tauri plugin in the GUI
+    // handles deduplication if a GUI instance is already running.
    if let Some(app_bundle) = get_app_bundle_path() {
-      let _ = Command::new("open").args(["-n"]).arg(&app_bundle).spawn();
+      let gui_binary = app_bundle.join("Contents").join("MacOS").join("Donut");
+      if gui_binary.exists() {
+        let _ = Command::new(&gui_binary).spawn();
+      } else {
+        let _ = Command::new("open").args(["-n"]).arg(&app_bundle).spawn();
+      }
    } else {
      let _ = Command::new("open").args(["-n", "-a", "Donut"]).spawn();
    }
@@ -158,7 +158,11 @@ impl Downloader {
        let release = releases
          .iter()
          .find(|r| r.tag_name == version)
-          .ok_or(format!("Camoufox version {version} not found"))?;
+          .or_else(|| {
+            log::info!("Camoufox: requested version {version} not found, using latest available");
+            releases.first()
+          })
+          .ok_or("No Camoufox releases found".to_string())?;

        // Get platform and architecture info
        let (os, arch) = Self::get_platform_info();
@@ -179,14 +183,10 @@ impl Downloader {
          .fetch_wayfern_version_with_caching(true)
          .await?;

-        // Verify requested version matches available version
        if version_info.version != version {
-          return Err(
-            format!(
-              "Wayfern version {version} not found. Available version: {}",
-              version_info.version
-            )
-            .into(),
+          log::info!(
+            "Wayfern: requested version {version}, using available version {}",
+            version_info.version
          );
        }

@@ -659,6 +659,41 @@ impl Downloader {
      return Err("Please accept Wayfern Terms and Conditions before downloading browsers".into());
    }

+    // For Wayfern/Camoufox, resolve the actual available version from the API
+    let version = if browser_str == "wayfern" {
+      match self
+        .api_client
+        .fetch_wayfern_version_with_caching(true)
+        .await
+      {
+        Ok(info) if info.version != version => {
+          log::info!(
+            "Wayfern: requested {version}, using available {}",
+            info.version
+          );
+          info.version
+        }
+        _ => version,
+      }
+    } else if browser_str == "camoufox" {
+      match self
+        .api_client
+        .fetch_camoufox_releases_with_caching(true)
+        .await
+      {
+        Ok(releases) if !releases.is_empty() && releases[0].tag_name != version => {
+          log::info!(
+            "Camoufox: requested {version}, using available {}",
+            releases[0].tag_name
+          );
+          releases[0].tag_name.clone()
+        }
+        _ => version,
+      }
+    } else {
+      version
+    };
+
    // Check if this browser-version pair is already being downloaded
    let download_key = format!("{browser_str}-{version}");
    let cancel_token = {
@@ -998,6 +1033,51 @@ impl Downloader {
      tokens.remove(&download_key);
    }

+    // Auto-update non-running profiles to the new version and cleanup unused binaries
+    {
+      let browser_for_update = browser_str.clone();
+      let version_for_update = version.clone();
+      let app_handle_for_update = app_handle.clone();
+      tauri::async_runtime::spawn(async move {
+        let auto_updater = crate::auto_updater::AutoUpdater::instance();
+        match auto_updater
+          .auto_update_profile_versions(
+            &app_handle_for_update,
+            &browser_for_update,
+            &version_for_update,
+          )
+          .await
+        {
+          Ok(updated) => {
+            if !updated.is_empty() {
+              log::info!(
+                "Auto-updated {} profiles to {} {}: {:?}",
+                updated.len(),
+                browser_for_update,
+                version_for_update,
+                updated
+              );
+            }
+          }
+          Err(e) => {
+            log::error!("Failed to auto-update profile versions: {e}");
+          }
+        }
+
+        let registry = crate::downloaded_browsers_registry::DownloadedBrowsersRegistry::instance();
+        match registry.cleanup_unused_binaries() {
+          Ok(cleaned) => {
+            if !cleaned.is_empty() {
+              log::info!("Cleaned up unused binaries after download: {:?}", cleaned);
+            }
+          }
+          Err(e) => {
+            log::error!("Failed to cleanup unused binaries: {e}");
+          }
+        }
+      });
+    }
+
    Ok(version)
  }
 }
@@ -1033,57 +1113,164 @@ pub async fn cancel_download(browser_str: String, version: String) -> Result<(),
  }
 }

-/// Set DuckDuckGo as the default search engine in Camoufox policies.json.
-/// Removes the fake "None" search engine and explicitly sets DuckDuckGo as default.
+/// Find all candidate `distribution/` directories inside the Camoufox browser dir.
+/// On macOS: `<browser_dir>/<app>.app/Contents/Resources/distribution/`
+/// On Linux: `<browser_dir>/camoufox/distribution/`
+/// On Windows: `<browser_dir>/distribution/`
+/// Also includes `<browser_dir>/distribution/` as a fallback for all platforms.
+#[allow(clippy::vec_init_then_push)]
+fn find_camoufox_distribution_dirs(browser_dir: &Path) -> Vec<std::path::PathBuf> {
+  let mut dirs = Vec::new();
+
+  #[cfg(target_os = "macos")]
+  {
+    if let Ok(entries) = std::fs::read_dir(browser_dir) {
+      for entry in entries.flatten() {
+        if entry.path().extension().is_some_and(|ext| ext == "app") {
+          dirs.push(
+            entry
+              .path()
+              .join("Contents")
+              .join("Resources")
+              .join("distribution"),
+          );
+        }
+      }
+    }
+  }
+
+  #[cfg(target_os = "linux")]
+  {
+    dirs.push(browser_dir.join("camoufox").join("distribution"));
+  }
+
+  // Fallback for all platforms
+  dirs.push(browser_dir.join("distribution"));
+
+  dirs
+}
+
+/// Set DuckDuckGo as the default search engine in Camoufox.
+/// Creates or updates distribution/policies.json with a proper DuckDuckGo engine definition.
 /// Called both at download time and at launch time to cover existing installations.
 pub fn configure_camoufox_search_engine(
  browser_dir: &Path,
 ) -> Result<(), Box<dyn std::error::Error + Send + Sync>> {
-  let policies_path = browser_dir.join("distribution").join("policies.json");
+  let distribution_dirs = find_camoufox_distribution_dirs(browser_dir);

-  if !policies_path.exists() {
-    return Ok(());
-  }
+  // Find an existing policies.json, or pick the first candidate dir to create one
+  let (policies_path, mut policies) = {
+    let mut found = None;
+    for dir in &distribution_dirs {
+      let path = dir.join("policies.json");
+      if path.exists() {
+        if let Ok(content) = std::fs::read_to_string(&path) {
+          if let Ok(val) = serde_json::from_str::<serde_json::Value>(&content) {
+            found = Some((path, val));
+            break;
+          }
+        }
+      }
+    }
+    match found {
+      Some(f) => f,
+      None => {
+        // Pick the first candidate directory that exists (or can be created)
+        let target_dir = distribution_dirs
+          .iter()
+          .find(|d| d.parent().is_some_and(|p| p.exists()))
+          .or(distribution_dirs.first())
+          .ok_or("No suitable distribution directory found")?;
+        std::fs::create_dir_all(target_dir)?;
+        (
+          target_dir.join("policies.json"),
+          serde_json::json!({"policies": {}}),
+        )
+      }
+    }
+  };

-  let content = std::fs::read_to_string(&policies_path)?;
-  let mut policies: serde_json::Value = serde_json::from_str(&content)?;
-
-  let current_default = policies
+  // Check if already configured
+  let has_ddg_default = policies
    .get("policies")
    .and_then(|p| p.get("SearchEngines"))
    .and_then(|se| se.get("Default"))
    .and_then(|d| d.as_str())
-    .unwrap_or("");
+    == Some("DuckDuckGo");

-  if current_default == "DuckDuckGo" {
+  let has_ddg_engine = policies
+    .get("policies")
+    .and_then(|p| p.get("SearchEngines"))
+    .and_then(|se| se.get("Add"))
+    .and_then(|a| a.as_array())
+    .is_some_and(|arr| {
+      arr
+        .iter()
+        .any(|e| e.get("Name").and_then(|n| n.as_str()) == Some("DuckDuckGo"))
+    });
+
+  if has_ddg_default && has_ddg_engine {
    return Ok(());
  }

-  if let Some(policies_obj) = policies.get_mut("policies") {
-    if let Some(se) = policies_obj.get_mut("SearchEngines") {
-      // Set DuckDuckGo as the explicit default
-      if let Some(obj) = se.as_object_mut() {
-        obj.insert(
-          "Default".to_string(),
-          serde_json::Value::String("DuckDuckGo".to_string()),
-        );
-      }
+  let ddg_engine = serde_json::json!({
+    "Name": "DuckDuckGo",
+    "URLTemplate": "https://duckduckgo.com/?q={searchTerms}",
+    "SuggestURLTemplate": "https://duckduckgo.com/ac/?q={searchTerms}&type=list",
+    "Method": "GET",
+    "IconURL": "https://duckduckgo.com/favicon.ico",
+    "Alias": "ddg"
+  });

-      // Remove the fake "None" search engine entry from Add
-      if let Some(add_arr) = se.get_mut("Add").and_then(|a| a.as_array_mut()) {
-        add_arr.retain(|entry| entry.get("Name").and_then(|n| n.as_str()) != Some("None"));
-      }
+  // Ensure policies.SearchEngines exists
+  let policies_obj = policies
+    .as_object_mut()
+    .ok_or("Invalid policies.json")?
+    .entry("policies")
+    .or_insert(serde_json::json!({}));
+  let se = policies_obj
+    .as_object_mut()
+    .ok_or("Invalid policies object")?
+    .entry("SearchEngines")
+    .or_insert(serde_json::json!({}));

-      // Ensure DuckDuckGo is not in the Remove list
-      if let Some(remove_arr) = se.get_mut("Remove").and_then(|r| r.as_array_mut()) {
-        remove_arr.retain(|v| v.as_str() != Some("DuckDuckGo"));
-      }
+  if let Some(se_obj) = se.as_object_mut() {
+    // Set DuckDuckGo as default
+    se_obj.insert(
+      "Default".to_string(),
+      serde_json::Value::String("DuckDuckGo".to_string()),
+    );
+
+    // Add DuckDuckGo engine definition if not present
+    let add_arr = se_obj
+      .entry("Add")
+      .or_insert(serde_json::json!([]))
+      .as_array_mut()
+      .ok_or("SearchEngines.Add is not an array")?;
+
+    // Remove fake "None" engine
+    add_arr.retain(|entry| entry.get("Name").and_then(|n| n.as_str()) != Some("None"));
+
+    // Add DuckDuckGo if not already present
+    if !add_arr
+      .iter()
+      .any(|e| e.get("Name").and_then(|n| n.as_str()) == Some("DuckDuckGo"))
+    {
+      add_arr.push(ddg_engine);
+    }
+
+    // Ensure DuckDuckGo is not in the Remove list
+    if let Some(remove_arr) = se_obj.get_mut("Remove").and_then(|r| r.as_array_mut()) {
+      remove_arr.retain(|v| v.as_str() != Some("DuckDuckGo"));
    }
  }

  let updated = serde_json::to_string_pretty(&policies)?;
  std::fs::write(&policies_path, updated)?;
-  log::info!("Set DuckDuckGo as default search engine in Camoufox policies.json");
+  log::info!(
+    "Configured DuckDuckGo search engine in {}",
+    policies_path.display()
+  );

  Ok(())
 }
@@ -273,6 +273,10 @@ mod tests {
      last_sync: None,
      host_os: None,
      ephemeral,
+      extension_group_id: None,
+      proxy_bypass_rules: Vec::new(),
+      created_by_id: None,
+      created_by_email: None,
    }
  }

@@ -22,6 +22,7 @@ mod default_browser;
 mod downloaded_browsers_registry;
 mod downloader;
 mod ephemeral_dirs;
+mod extension_manager;
 mod extraction;
 mod geoip_downloader;
 mod group_manager;
@@ -49,6 +50,7 @@ pub mod daemon_ws;
 pub mod events;
 mod mcp_server;
 mod tag_manager;
+mod team_lock;
 mod version_updater;
 pub mod vpn;
 pub mod vpn_worker_runner;
@@ -61,7 +63,8 @@ use browser_runner::{
 use profile::manager::{
  check_browser_status, clone_profile, create_browser_profile_new, delete_profile,
  list_browser_profiles, rename_profile, update_camoufox_config, update_profile_note,
-  update_profile_proxy, update_profile_tags, update_profile_vpn, update_wayfern_config,
+  update_profile_proxy, update_profile_proxy_bypass_rules, update_profile_tags, update_profile_vpn,
+  update_wayfern_config,
 };

 use browser_version_manager::{
@@ -87,7 +90,8 @@ use settings_manager::{
 use sync::{
  check_has_e2e_password, delete_e2e_password, enable_sync_for_all_entities,
  get_unsynced_entity_counts, is_group_in_use_by_synced_profile, is_proxy_in_use_by_synced_profile,
-  is_vpn_in_use_by_synced_profile, request_profile_sync, set_e2e_password, set_group_sync_enabled,
+  is_vpn_in_use_by_synced_profile, request_profile_sync, set_e2e_password,
+  set_extension_group_sync_enabled, set_extension_sync_enabled, set_group_sync_enabled,
  set_profile_sync_mode, set_proxy_sync_enabled, set_vpn_sync_enabled,
 };

@@ -111,6 +115,12 @@ use app_auto_updater::{

 use profile_importer::{detect_existing_profiles, import_browser_profile};

+use extension_manager::{
+  add_extension, add_extension_to_group, assign_extension_group_to_profile, create_extension_group,
+  delete_extension, delete_extension_group, get_extension_group_for_profile, list_extension_groups,
+  list_extensions, remove_extension_from_group, update_extension, update_extension_group,
+};
+
 use group_manager::{
  assign_profiles_to_group, create_profile_group, delete_profile_group, delete_selected_profiles,
  get_groups_with_profile_counts, get_profile_groups, update_profile_group,
@@ -1006,29 +1016,31 @@ pub fn run() {
        }
      });

-      let _app_handle_update = app.handle().clone();
      tauri::async_runtime::spawn(async move {
-        log::info!("Starting app update check at startup...");
        let updater = app_auto_updater::AppAutoUpdater::instance();
-        match updater.check_for_updates().await {
-          Ok(Some(update_info)) => {
-            log::info!(
-              "App update available: {} -> {}",
-              update_info.current_version,
-              update_info.new_version
-            );
-            // Emit update available event to the frontend
-            if let Err(e) = events::emit("app-update-available", &update_info) {
-              log::error!("Failed to emit app update event: {e}");
-            } else {
-              log::debug!("App update event emitted successfully");
+        let mut interval = tokio::time::interval(tokio::time::Duration::from_secs(3 * 60 * 60));
+
+        loop {
+          interval.tick().await;
+
+          log::info!("Checking for app updates...");
+          match updater.check_for_updates().await {
+            Ok(Some(update_info)) => {
+              log::info!(
+                "App update available: {} -> {}",
+                update_info.current_version,
+                update_info.new_version
+              );
+              if let Err(e) = events::emit("app-update-available", &update_info) {
+                log::error!("Failed to emit app update event: {e}");
+              }
+            }
+            Ok(None) => {
+              log::debug!("No app updates available");
+            }
+            Err(e) => {
+              log::error!("Failed to check for app updates: {e}");
            }
-          }
-          Ok(None) => {
-            log::debug!("No app updates available");
-          }
-          Err(e) => {
-            log::error!("Failed to check for app updates: {e}");
          }
        }
      });
@@ -1329,6 +1341,7 @@ pub fn run() {
      update_profile_vpn,
      update_profile_tags,
      update_profile_note,
+      update_profile_proxy_bypass_rules,
      check_browser_status,
      kill_browser_profile,
      rename_profile,
@@ -1380,6 +1393,18 @@ pub fn run() {
      delete_profile_group,
      assign_profiles_to_group,
      delete_selected_profiles,
+      list_extensions,
+      add_extension,
+      update_extension,
+      delete_extension,
+      list_extension_groups,
+      create_extension_group,
+      update_extension_group,
+      delete_extension_group,
+      add_extension_to_group,
+      remove_extension_from_group,
+      assign_extension_group_to_profile,
+      get_extension_group_for_profile,
      is_geoip_database_available,
      download_geoip_database,
      start_api_server,
@@ -1398,6 +1423,8 @@ pub fn run() {
      is_group_in_use_by_synced_profile,
      set_vpn_sync_enabled,
      is_vpn_in_use_by_synced_profile,
+      set_extension_sync_enabled,
+      set_extension_group_sync_enabled,
      get_unsynced_entity_counts,
      enable_sync_for_all_entities,
      set_e2e_password,
@@ -1440,7 +1467,10 @@ pub fn run() {
      cloud_auth::cloud_get_states,
      cloud_auth::cloud_get_cities,
      cloud_auth::create_cloud_location_proxy,
-      cloud_auth::restart_sync_service
+      cloud_auth::restart_sync_service,
+      // Team lock commands
+      team_lock::get_team_locks,
+      team_lock::get_team_lock_status,
    ])
    .build(tauri::generate_context!())
    .expect("error while building tauri application")
@@ -1480,6 +1510,10 @@ mod tests {
      "get_vpn_config",
      "list_active_vpn_connections",
      "export_profile_cookies",
+      "update_extension",
+      "set_extension_sync_enabled",
+      "set_extension_group_sync_enabled",
+      "get_team_lock_status",
    ];

    // Extract command names from the generate_handler! macro in this file
@@ -725,6 +725,114 @@ impl McpServer {
          "required": ["profile_id"]
        }),
      },
+      McpTool {
+        name: "update_profile_proxy_bypass_rules".to_string(),
+        description:
+          "Update proxy bypass rules for a profile. Requests matching these rules will connect directly, bypassing the proxy."
+            .to_string(),
+        input_schema: serde_json::json!({
+          "type": "object",
+          "properties": {
+            "profile_id": {
+              "type": "string",
+              "description": "The UUID of the profile to update"
+            },
+            "rules": {
+              "type": "array",
+              "items": { "type": "string" },
+              "description": "Array of bypass rules. Supports hostnames (e.g. 'example.com'), IP addresses, and regex patterns."
+            }
+          },
+          "required": ["profile_id", "rules"]
+        }),
+      },
+      McpTool {
+        name: "list_extensions".to_string(),
+        description: "List all managed browser extensions. Requires Pro subscription.".to_string(),
+        input_schema: serde_json::json!({
+          "type": "object",
+          "properties": {},
+          "required": []
+        }),
+      },
+      McpTool {
+        name: "list_extension_groups".to_string(),
+        description: "List all extension groups. Requires Pro subscription.".to_string(),
+        input_schema: serde_json::json!({
+          "type": "object",
+          "properties": {},
+          "required": []
+        }),
+      },
+      McpTool {
+        name: "create_extension_group".to_string(),
+        description: "Create a new extension group. Requires Pro subscription.".to_string(),
+        input_schema: serde_json::json!({
+          "type": "object",
+          "properties": {
+            "name": { "type": "string", "description": "Name for the extension group" }
+          },
+          "required": ["name"]
+        }),
+      },
+      McpTool {
+        name: "delete_extension".to_string(),
+        description: "Delete a managed extension. Requires Pro subscription.".to_string(),
+        input_schema: serde_json::json!({
+          "type": "object",
+          "properties": {
+            "extension_id": { "type": "string", "description": "The extension ID to delete" }
+          },
+          "required": ["extension_id"]
+        }),
+      },
+      McpTool {
+        name: "delete_extension_group".to_string(),
+        description: "Delete an extension group. Requires Pro subscription.".to_string(),
+        input_schema: serde_json::json!({
+          "type": "object",
+          "properties": {
+            "group_id": { "type": "string", "description": "The extension group ID to delete" }
+          },
+          "required": ["group_id"]
+        }),
+      },
+      McpTool {
+        name: "assign_extension_group_to_profile".to_string(),
+        description: "Assign an extension group to a profile, or remove the assignment. Requires Pro subscription.".to_string(),
+        input_schema: serde_json::json!({
+          "type": "object",
+          "properties": {
+            "profile_id": { "type": "string", "description": "The profile ID" },
+            "extension_group_id": { "type": "string", "description": "The extension group ID, or empty string to remove" }
+          },
+          "required": ["profile_id"]
+        }),
+      },
+      // Team lock tools
+      McpTool {
+        name: "get_team_locks".to_string(),
+        description: "List all active team profile locks. Requires team plan.".to_string(),
+        input_schema: serde_json::json!({
+          "type": "object",
+          "properties": {},
+          "required": []
+        }),
+      },
+      McpTool {
+        name: "get_team_lock_status".to_string(),
+        description: "Check if a profile is locked by a team member. Requires team plan.".to_string(),
+        input_schema: serde_json::json!({
+          "type": "object",
+          "properties": {
+            "profile_id": {
+              "type": "string",
+              "description": "The UUID of the profile to check"
+            }
+          },
+          "required": ["profile_id"]
+        }),
+      },
    ]
  }

@@ -826,6 +934,25 @@ impl McpServer {
      // Fingerprint management
      "get_profile_fingerprint" => self.handle_get_profile_fingerprint(&arguments).await,
      "update_profile_fingerprint" => self.handle_update_profile_fingerprint(&arguments).await,
+      "update_profile_proxy_bypass_rules" => {
+        self
+          .handle_update_profile_proxy_bypass_rules(&arguments)
+          .await
+      }
+      // Extension management
+      "list_extensions" => self.handle_list_extensions().await,
+      "list_extension_groups" => self.handle_list_extension_groups().await,
+      "create_extension_group" => self.handle_create_extension_group(&arguments).await,
+      "delete_extension" => self.handle_delete_extension_mcp(&arguments).await,
+      "delete_extension_group" => self.handle_delete_extension_group_mcp(&arguments).await,
+      "assign_extension_group_to_profile" => {
+        self
+          .handle_assign_extension_group_to_profile(&arguments)
+          .await
+      }
+      // Team lock tools
+      "get_team_locks" => self.handle_get_team_locks().await,
+      "get_team_lock_status" => self.handle_get_team_lock_status(&arguments).await,
      _ => Err(McpError {
        code: -32602,
        message: format!("Unknown tool: {tool_name}"),
@@ -940,6 +1067,14 @@ impl McpServer {
      });
    }

+    // Team lock check
+    crate::team_lock::acquire_team_lock_if_needed(profile)
+      .await
+      .map_err(|e| McpError {
+        code: -32000,
+        message: e,
+      })?;
+
    // Get app handle to launch
    let inner = self.inner.lock().await;
    let app_handle = inner.app_handle.as_ref().ok_or_else(|| McpError {
@@ -1021,6 +1156,8 @@ impl McpServer {
        message: format!("Failed to kill browser: {e}"),
      })?;

+    crate::team_lock::release_team_lock_if_needed(profile).await;
+
    Ok(serde_json::json!({
      "content": [{
        "type": "text",
@@ -2066,6 +2203,272 @@ impl McpServer {
      }]
    }))
  }
+
+  async fn handle_update_profile_proxy_bypass_rules(
+    &self,
+    arguments: &serde_json::Value,
+  ) -> Result<serde_json::Value, McpError> {
+    let profile_id = arguments
+      .get("profile_id")
+      .and_then(|v| v.as_str())
+      .ok_or_else(|| McpError {
+        code: -32602,
+        message: "Missing profile_id".to_string(),
+      })?;
+
+    let rules: Vec<String> = arguments
+      .get("rules")
+      .and_then(|v| v.as_array())
+      .ok_or_else(|| McpError {
+        code: -32602,
+        message: "Missing rules array".to_string(),
+      })?
+      .iter()
+      .filter_map(|v| v.as_str().map(|s| s.to_string()))
+      .collect();
+
+    let inner = self.inner.lock().await;
+    let app_handle = inner.app_handle.as_ref().ok_or_else(|| McpError {
+      code: -32000,
+      message: "MCP server not properly initialized".to_string(),
+    })?;
+
+    let profile = ProfileManager::instance()
+      .update_profile_proxy_bypass_rules(app_handle, profile_id, rules.clone())
+      .map_err(|e| McpError {
+        code: -32000,
+        message: format!("Failed to update proxy bypass rules: {e}"),
+      })?;
+
+    Ok(serde_json::json!({
+      "content": [{
+        "type": "text",
+        "text": format!(
+          "Proxy bypass rules updated for profile '{}': {} rule(s) configured",
+          profile.name,
+          rules.len()
+        )
+      }]
+    }))
+  }
+
+  async fn handle_list_extensions(&self) -> Result<serde_json::Value, McpError> {
+    if !CLOUD_AUTH.has_active_paid_subscription().await {
+      return Err(McpError {
+        code: -32000,
+        message: "Extension management requires an active Pro subscription".to_string(),
+      });
+    }
+    let mgr = crate::extension_manager::EXTENSION_MANAGER.lock().unwrap();
+    let extensions = mgr.list_extensions().map_err(|e| McpError {
+      code: -32000,
+      message: format!("Failed to list extensions: {e}"),
+    })?;
+    Ok(serde_json::to_value(extensions).unwrap())
+  }
+
+  async fn handle_list_extension_groups(&self) -> Result<serde_json::Value, McpError> {
+    if !CLOUD_AUTH.has_active_paid_subscription().await {
+      return Err(McpError {
+        code: -32000,
+        message: "Extension management requires an active Pro subscription".to_string(),
+      });
+    }
+    let mgr = crate::extension_manager::EXTENSION_MANAGER.lock().unwrap();
+    let groups = mgr.list_groups().map_err(|e| McpError {
+      code: -32000,
+      message: format!("Failed to list extension groups: {e}"),
+    })?;
+    Ok(serde_json::to_value(groups).unwrap())
+  }
+
+  async fn handle_create_extension_group(
+    &self,
+    arguments: &serde_json::Value,
+  ) -> Result<serde_json::Value, McpError> {
+    if !CLOUD_AUTH.has_active_paid_subscription().await {
+      return Err(McpError {
+        code: -32000,
+        message: "Extension management requires an active Pro subscription".to_string(),
+      });
+    }
+    let name = arguments
+      .get("name")
+      .and_then(|v| v.as_str())
+      .ok_or_else(|| McpError {
+        code: -32602,
+        message: "Missing required parameter: name".to_string(),
+      })?;
+    let mgr = crate::extension_manager::EXTENSION_MANAGER.lock().unwrap();
+    let group = mgr.create_group(name.to_string()).map_err(|e| McpError {
+      code: -32000,
+      message: format!("Failed to create extension group: {e}"),
+    })?;
+    Ok(serde_json::to_value(group).unwrap())
+  }
+
+  async fn handle_delete_extension_mcp(
+    &self,
+    arguments: &serde_json::Value,
+  ) -> Result<serde_json::Value, McpError> {
+    if !CLOUD_AUTH.has_active_paid_subscription().await {
+      return Err(McpError {
+        code: -32000,
+        message: "Extension management requires an active Pro subscription".to_string(),
+      });
+    }
+    let extension_id = arguments
+      .get("extension_id")
+      .and_then(|v| v.as_str())
+      .ok_or_else(|| McpError {
+        code: -32602,
+        message: "Missing required parameter: extension_id".to_string(),
+      })?;
+    let mgr = crate::extension_manager::EXTENSION_MANAGER.lock().unwrap();
+    mgr
+      .delete_extension_internal(extension_id)
+      .map_err(|e| McpError {
+        code: -32000,
+        message: format!("Failed to delete extension: {e}"),
+      })?;
+    Ok(serde_json::json!({"success": true}))
+  }
+
+  async fn handle_delete_extension_group_mcp(
+    &self,
+    arguments: &serde_json::Value,
+  ) -> Result<serde_json::Value, McpError> {
+    if !CLOUD_AUTH.has_active_paid_subscription().await {
+      return Err(McpError {
+        code: -32000,
+        message: "Extension management requires an active Pro subscription".to_string(),
+      });
+    }
+    let group_id = arguments
+      .get("group_id")
+      .and_then(|v| v.as_str())
+      .ok_or_else(|| McpError {
+        code: -32602,
+        message: "Missing required parameter: group_id".to_string(),
+      })?;
+    let mgr = crate::extension_manager::EXTENSION_MANAGER.lock().unwrap();
+    // For MCP, we don't have an app_handle, but we need one for sync deletion.
+    // Use the delete_group_internal which skips sync remote deletion.
+    mgr.delete_group_internal(group_id).map_err(|e| McpError {
+      code: -32000,
+      message: format!("Failed to delete extension group: {e}"),
+    })?;
+    if let Err(e) = crate::events::emit_empty("extensions-changed") {
+      log::error!("Failed to emit extensions-changed event: {e}");
+    }
+    Ok(serde_json::json!({"success": true}))
+  }
+
+  async fn handle_assign_extension_group_to_profile(
+    &self,
+    arguments: &serde_json::Value,
+  ) -> Result<serde_json::Value, McpError> {
+    if !CLOUD_AUTH.has_active_paid_subscription().await {
+      return Err(McpError {
+        code: -32000,
+        message: "Extension management requires an active Pro subscription".to_string(),
+      });
+    }
+    let profile_id = arguments
+      .get("profile_id")
+      .and_then(|v| v.as_str())
+      .ok_or_else(|| McpError {
+        code: -32602,
+        message: "Missing required parameter: profile_id".to_string(),
+      })?;
+    let extension_group_id = arguments
+      .get("extension_group_id")
+      .and_then(|v| v.as_str())
+      .map(|s| {
+        if s.is_empty() {
+          None
+        } else {
+          Some(s.to_string())
+        }
+      })
+      .unwrap_or(None);
+
+    // Validate compatibility if assigning
+    if let Some(ref gid) = extension_group_id {
+      let profile_manager = ProfileManager::instance();
+      let profiles = profile_manager.list_profiles().map_err(|e| McpError {
+        code: -32000,
+        message: format!("Failed to list profiles: {e}"),
+      })?;
+      let profile = profiles
+        .iter()
+        .find(|p| p.id.to_string() == profile_id)
+        .ok_or_else(|| McpError {
+          code: -32000,
+          message: format!("Profile '{profile_id}' not found"),
+        })?;
+      let mgr = crate::extension_manager::EXTENSION_MANAGER.lock().unwrap();
+      mgr
+        .validate_group_compatibility(gid, &profile.browser)
+        .map_err(|e| McpError {
+          code: -32000,
+          message: format!("{e}"),
+        })?;
+    }
+
+    let profile_manager = ProfileManager::instance();
+    let profile = profile_manager
+      .update_profile_extension_group(profile_id, extension_group_id)
+      .map_err(|e| McpError {
+        code: -32000,
+        message: format!("Failed to assign extension group: {e}"),
+      })?;
+    Ok(serde_json::to_value(profile).unwrap())
+  }
+
+  async fn handle_get_team_locks(&self) -> Result<serde_json::Value, McpError> {
+    if !CLOUD_AUTH.is_on_team_plan().await {
+      return Err(McpError {
+        code: -32000,
+        message: "Team features require an active team plan".to_string(),
+      });
+    }
+    let locks = crate::team_lock::TEAM_LOCK.get_locks().await;
+    Ok(serde_json::json!({
+      "content": [{
+        "type": "text",
+        "text": serde_json::to_string_pretty(&locks).unwrap_or_default()
+      }]
+    }))
+  }
+
+  async fn handle_get_team_lock_status(
+    &self,
+    arguments: &serde_json::Value,
+  ) -> Result<serde_json::Value, McpError> {
+    if !CLOUD_AUTH.is_on_team_plan().await {
+      return Err(McpError {
+        code: -32000,
+        message: "Team features require an active team plan".to_string(),
+      });
+    }
+    let profile_id = arguments
+      .get("profile_id")
+      .and_then(|v| v.as_str())
+      .ok_or_else(|| McpError {
+        code: -32602,
+        message: "Missing profile_id".to_string(),
+      })?;
+    let lock_status = crate::team_lock::TEAM_LOCK
+      .get_lock_status(profile_id)
+      .await;
+    Ok(serde_json::json!({
+      "content": [{
+        "type": "text",
+        "text": serde_json::to_string_pretty(&lock_status).unwrap_or_default()
+      }]
+    }))
+  }
 }

 lazy_static::lazy_static! {
@@ -2081,8 +2484,8 @@ mod tests {
    let server = McpServer::new();
    let tools = server.get_tools();

-    // Should have at least 26 tools (24 + 2 fingerprint tools)
-    assert!(tools.len() >= 26);
+    // Should have at least 34 tools (26 + 6 extension tools + 2 team lock tools)
+    assert!(tools.len() >= 34);

    // Check tool names
    let tool_names: Vec<&str> = tools.iter().map(|t| t.name.as_str()).collect();
@@ -2118,6 +2521,17 @@ mod tests {
    // Fingerprint tools
    assert!(tool_names.contains(&"get_profile_fingerprint"));
    assert!(tool_names.contains(&"update_profile_fingerprint"));
+    assert!(tool_names.contains(&"update_profile_proxy_bypass_rules"));
+    // Extension tools
+    assert!(tool_names.contains(&"list_extensions"));
+    assert!(tool_names.contains(&"list_extension_groups"));
+    assert!(tool_names.contains(&"create_extension_group"));
+    assert!(tool_names.contains(&"delete_extension"));
+    assert!(tool_names.contains(&"delete_extension_group"));
+    assert!(tool_names.contains(&"assign_extension_group_to_profile"));
+    // Team lock tools
+    assert!(tool_names.contains(&"get_team_locks"));
+    assert!(tool_names.contains(&"get_team_lock_status"));
  }

  #[test]
@@ -874,18 +874,158 @@ pub mod linux {

  pub async fn kill_browser_process_impl(
    pid: u32,
+    profile_data_path: Option<&str>,
  ) -> Result<(), Box<dyn std::error::Error + Send + Sync>> {
-    use sysinfo::{Pid, System};
-    let system = System::new_all();
-    if let Some(process) = system.process(Pid::from(pid as usize)) {
-      if !process.kill() {
-        return Err(format!("Failed to kill process {}", pid).into());
+    use sysinfo::{Pid, ProcessRefreshKind, RefreshKind, System};
+
+    log::info!("Attempting to kill browser process with PID: {pid}");
+
+    let mut pids_to_kill = vec![pid];
+
+    // Find all descendant processes
+    let descendants = get_all_descendant_pids(pid);
+    pids_to_kill.extend(descendants);
+
+    // Find additional processes using the same profile path
+    if let Some(profile_path) = profile_data_path {
+      let additional_pids = find_processes_by_profile_path(profile_path);
+      for p in additional_pids {
+        if !pids_to_kill.contains(&p) {
+          log::info!("Found additional process {} using profile path", p);
+          pids_to_kill.push(p);
+        }
      }
-    } else {
-      return Err(format!("Process {} not found", pid).into());
    }

-    log::info!("Successfully killed browser process with PID: {pid}");
+    log::info!("Total processes to kill: {:?}", pids_to_kill);
+
+    // Send SIGKILL to all identified processes
+    for &p in &pids_to_kill {
+      log::info!("Sending SIGKILL to PID: {p}");
+      let _ = Command::new("kill")
+        .args(["-KILL", &p.to_string()])
+        .output();
+    }
+
+    // Also kill by process group and parent PID
+    let pid_str = pid.to_string();
+    let _ = Command::new("pkill")
+      .args(["-KILL", "-P", &pid_str])
+      .output();
+
+    tokio::time::sleep(tokio::time::Duration::from_millis(500)).await;
+
+    // Verify processes are dead
+    let system = System::new_with_specifics(
+      RefreshKind::nothing().with_processes(ProcessRefreshKind::everything()),
+    );
+    let mut still_running = Vec::new();
+    for &p in &pids_to_kill {
+      if system.process(Pid::from(p as usize)).is_some() {
+        still_running.push(p);
+      }
+    }
+
+    if !still_running.is_empty() {
+      log::info!(
+        "Processes {:?} still running, trying final termination",
+        still_running
+      );
+
+      for p in &still_running {
+        let _ = Command::new("kill")
+          .args(["-KILL", &p.to_string()])
+          .output();
+      }
+
+      tokio::time::sleep(tokio::time::Duration::from_millis(1000)).await;
+
+      let system = System::new_with_specifics(
+        RefreshKind::nothing().with_processes(ProcessRefreshKind::everything()),
+      );
+      let mut final_still_running = Vec::new();
+      for &p in &pids_to_kill {
+        if system.process(Pid::from(p as usize)).is_some() {
+          final_still_running.push(p);
+        }
+      }
+
+      if !final_still_running.is_empty() {
+        log::error!(
+          "ERROR: Processes {:?} could not be terminated despite aggressive attempts",
+          final_still_running
+        );
+        return Err(
+          format!(
+            "Failed to terminate browser processes {:?} - still running",
+            final_still_running
+          )
+          .into(),
+        );
+      }
+    }
+
+    log::info!("Browser termination completed for PID: {pid}");
    Ok(())
  }
+
+  fn find_processes_by_profile_path(profile_path: &str) -> Vec<u32> {
+    use sysinfo::{ProcessRefreshKind, RefreshKind, System};
+
+    let mut pids = Vec::new();
+    let system = System::new_with_specifics(
+      RefreshKind::nothing().with_processes(ProcessRefreshKind::everything()),
+    );
+
+    for (pid, process) in system.processes() {
+      let cmd = process.cmd();
+      if cmd.is_empty() {
+        continue;
+      }
+
+      let has_profile = cmd.iter().any(|arg| {
+        if let Some(arg_str) = arg.to_str() {
+          arg_str.contains(profile_path)
+        } else {
+          false
+        }
+      });
+
+      if has_profile {
+        pids.push(pid.as_u32());
+      }
+    }
+
+    pids
+  }
+
+  fn get_all_descendant_pids(parent_pid: u32) -> Vec<u32> {
+    use sysinfo::{ProcessRefreshKind, RefreshKind, System};
+
+    let system = System::new_with_specifics(
+      RefreshKind::nothing().with_processes(ProcessRefreshKind::everything()),
+    );
+    let mut descendants = Vec::new();
+    let mut to_check = vec![parent_pid];
+    let mut checked = std::collections::HashSet::new();
+
+    while let Some(current_pid) = to_check.pop() {
+      if checked.contains(&current_pid) {
+        continue;
+      }
+      checked.insert(current_pid);
+
+      for (pid, process) in system.processes() {
+        let pid_u32 = pid.as_u32();
+        if let Some(parent) = process.parent() {
+          if parent.as_u32() == current_pid && !checked.contains(&pid_u32) {
+            descendants.push(pid_u32);
+            to_check.push(pid_u32);
+          }
+        }
+      }
+    }
+
+    descendants
+  }
 }
@@ -1,6 +1,7 @@
 use crate::api_client::is_browser_version_nightly;
 use crate::browser::{create_browser, BrowserType, ProxySettings};
 use crate::camoufox_manager::CamoufoxConfig;
+use crate::cloud_auth::CLOUD_AUTH;
 use crate::downloaded_browsers_registry::DownloadedBrowsersRegistry;
 use crate::events;
 use crate::profile::types::{get_host_os, BrowserProfile, SyncMode};
@@ -8,7 +9,7 @@ use crate::proxy_manager::PROXY_MANAGER;
 use crate::wayfern_manager::WayfernConfig;
 use std::fs::{self, create_dir_all};
 use std::path::{Path, PathBuf};
-use sysinfo::{Pid, System};
+use sysinfo::{Pid, ProcessRefreshKind, RefreshKind, System};

 pub struct ProfileManager {
  camoufox_manager: &'static crate::camoufox_manager::CamoufoxManager,
@@ -53,6 +54,15 @@ impl ProfileManager {
    if proxy_id.is_some() && vpn_id.is_some() {
      return Err("Cannot set both proxy_id and vpn_id".into());
    }
+
+    // Sync cloud proxy credentials if the profile uses a cloud or cloud-derived proxy
+    if let Some(ref pid) = proxy_id {
+      if PROXY_MANAGER.is_cloud_or_derived(pid) || pid == crate::proxy_manager::CLOUD_PROXY_ID {
+        log::info!("Syncing cloud proxy credentials before profile creation");
+        CLOUD_AUTH.sync_cloud_proxy().await;
+      }
+    }
+
    log::info!("Attempting to create profile: {name}");

    // Check if a profile with this name already exists (case insensitive)
@@ -167,6 +177,10 @@ impl ProfileManager {
          last_sync: None,
          host_os: None,
          ephemeral: false,
+          extension_group_id: None,
+          proxy_bypass_rules: Vec::new(),
+          created_by_id: None,
+          created_by_email: None,
        };

        match self
@@ -284,6 +298,10 @@ impl ProfileManager {
          last_sync: None,
          host_os: None,
          ephemeral: false,
+          extension_group_id: None,
+          proxy_bypass_rules: Vec::new(),
+          created_by_id: None,
+          created_by_email: None,
        };

        match self
@@ -333,6 +351,10 @@ impl ProfileManager {
      last_sync: None,
      host_os: Some(get_host_os()),
      ephemeral,
+      extension_group_id: None,
+      proxy_bypass_rules: Vec::new(),
+      created_by_id: None,
+      created_by_email: None,
    };

    // Save profile info
@@ -722,6 +744,31 @@ impl ProfileManager {
    Ok(profile)
  }

+  pub fn update_profile_proxy_bypass_rules(
+    &self,
+    _app_handle: &tauri::AppHandle,
+    profile_id: &str,
+    rules: Vec<String>,
+  ) -> Result<BrowserProfile, Box<dyn std::error::Error>> {
+    let profile_uuid =
+      uuid::Uuid::parse_str(profile_id).map_err(|_| format!("Invalid profile ID: {profile_id}"))?;
+    let profiles = self.list_profiles()?;
+    let mut profile = profiles
+      .into_iter()
+      .find(|p| p.id == profile_uuid)
+      .ok_or_else(|| format!("Profile with ID '{profile_id}' not found"))?;
+
+    profile.proxy_bypass_rules = rules;
+
+    self.save_profile(&profile)?;
+
+    if let Err(e) = events::emit_empty("profiles-changed") {
+      log::warn!("Warning: Failed to emit profiles-changed event: {e}");
+    }
+
+    Ok(profile)
+  }
+
  pub fn delete_multiple_profiles(
    &self,
    app_handle: &tauri::AppHandle,
@@ -808,6 +855,7 @@ impl ProfileManager {
  pub fn clone_profile(
    &self,
    profile_id: &str,
+    custom_name: Option<String>,
  ) -> Result<BrowserProfile, Box<dyn std::error::Error>> {
    let profile_uuid =
      uuid::Uuid::parse_str(profile_id).map_err(|_| format!("Invalid profile ID: {profile_id}"))?;
@@ -824,7 +872,10 @@ impl ProfileManager {
    }

    let new_id = uuid::Uuid::new_v4();
-    let clone_name = self.generate_clone_name(&source.name)?;
+    let clone_name = match custom_name {
+      Some(name) if !name.trim().is_empty() => name.trim().to_string(),
+      _ => self.generate_clone_name(&source.name)?,
+    };

    let profiles_dir = self.get_profiles_dir();
    let source_dir = profiles_dir.join(source.id.to_string());
@@ -856,6 +907,10 @@ impl ProfileManager {
      last_sync: None,
      host_os: Some(get_host_os()),
      ephemeral: false,
+      extension_group_id: source.extension_group_id,
+      proxy_bypass_rules: source.proxy_bypass_rules,
+      created_by_id: None,
+      created_by_email: None,
    };

    self.save_profile(&new_profile)?;
@@ -1127,6 +1182,32 @@ impl ProfileManager {
    Ok(profile)
  }

+  pub fn update_profile_extension_group(
+    &self,
+    profile_id: &str,
+    extension_group_id: Option<String>,
+  ) -> Result<BrowserProfile, Box<dyn std::error::Error>> {
+    let profile_uuid =
+      uuid::Uuid::parse_str(profile_id).map_err(|_| format!("Invalid profile ID: {profile_id}"))?;
+    let profiles = self.list_profiles()?;
+    let mut profile = profiles
+      .into_iter()
+      .find(|p| p.id == profile_uuid)
+      .ok_or_else(|| format!("Profile with ID '{profile_id}' not found"))?;
+
+    profile.extension_group_id = extension_group_id;
+    self.save_profile(&profile)?;
+
+    if let Err(e) = events::emit("profile-updated", &profile) {
+      log::warn!("Failed to emit profile update event: {e}");
+    }
+    if let Err(e) = events::emit_empty("profiles-changed") {
+      log::warn!("Failed to emit profiles-changed event: {e}");
+    }
+
+    Ok(profile)
+  }
+
  pub async fn check_browser_status(
    &self,
    app_handle: tauri::AppHandle,
@@ -1144,7 +1225,9 @@ impl ProfileManager {

    // For non-camoufox browsers, use the existing PID-based logic
    let inner_profile = profile.clone();
-    let mut system = System::new();
+    let system = System::new_with_specifics(
+      RefreshKind::nothing().with_processes(ProcessRefreshKind::everything()),
+    );
    let mut is_running = false;
    let mut found_pid: Option<u32> = None;

@@ -1186,8 +1269,6 @@ impl ProfileManager {

    // If we didn't find the browser with the stored PID, search all processes
    if !is_running {
-      // Refresh all processes only when we need to search (expensive but necessary)
-      system.refresh_all();
      for (pid, process) in system.processes() {
        let cmd = process.cmd();
        if cmd.len() >= 2 {
@@ -1521,9 +1602,10 @@ impl ProfileManager {
      "user_pref(\"startup.homepage_welcome_url\", \"\");".to_string(),
      "user_pref(\"startup.homepage_welcome_url.additional\", \"\");".to_string(),
      "user_pref(\"startup.homepage_override_url\", \"\");".to_string(),
-      // Keep extension updates enabled
+      // Keep extension updates enabled and allow sideloaded extensions
      "user_pref(\"extensions.update.enabled\", true);".to_string(),
      "user_pref(\"extensions.update.autoUpdateDefault\", true);".to_string(),
+      "user_pref(\"extensions.autoDisableScopes\", 0);".to_string(),
      // Completely disable browser update checking
      "user_pref(\"app.update.enabled\", false);".to_string(),
      "user_pref(\"app.update.auto\", false);".to_string(),
@@ -1977,6 +2059,18 @@ pub fn update_profile_note(
    .map_err(|e| format!("Failed to update profile note: {e}"))
 }

+#[tauri::command]
+pub fn update_profile_proxy_bypass_rules(
+  app_handle: tauri::AppHandle,
+  profile_id: String,
+  rules: Vec<String>,
+) -> Result<BrowserProfile, String> {
+  let profile_manager = ProfileManager::instance();
+  profile_manager
+    .update_profile_proxy_bypass_rules(&app_handle, &profile_id, rules)
+    .map_err(|e| format!("Failed to update proxy bypass rules: {e}"))
+}
+
 #[tauri::command]
 pub async fn check_browser_status(
  app_handle: tauri::AppHandle,
@@ -2103,9 +2197,9 @@ pub async fn update_wayfern_config(
 }

 #[tauri::command]
-pub fn clone_profile(profile_id: String) -> Result<BrowserProfile, String> {
+pub fn clone_profile(profile_id: String, name: Option<String>) -> Result<BrowserProfile, String> {
  ProfileManager::instance()
-    .clone_profile(&profile_id)
+    .clone_profile(&profile_id, name)
    .map_err(|e| format!("Failed to clone profile: {e}"))
 }

@@ -57,6 +57,14 @@ pub struct BrowserProfile {
  pub host_os: Option<String>, // OS where profile was created ("macos", "windows", "linux")
  #[serde(default)]
  pub ephemeral: bool,
+  #[serde(default)]
+  pub extension_group_id: Option<String>,
+  #[serde(default)]
+  pub proxy_bypass_rules: Vec<String>,
+  #[serde(default)]
+  pub created_by_id: Option<String>,
+  #[serde(default)]
+  pub created_by_email: Option<String>,
 }

 pub fn default_release_type() -> String {
@@ -559,6 +559,10 @@ impl ProfileImporter {
      last_sync: None,
      host_os: Some(crate::profile::types::get_host_os()),
      ephemeral: false,
+      extension_group_id: None,
+      proxy_bypass_rules: Vec::new(),
+      created_by_id: None,
+      created_by_email: None,
    };

    // Save the profile metadata
@@ -769,6 +769,14 @@ impl ProxyManager {
    Ok(())
  }

+  // Check if a proxy is cloud-managed or cloud-derived (needs fresh credentials)
+  pub fn is_cloud_or_derived(&self, proxy_id: &str) -> bool {
+    let stored_proxies = self.stored_proxies.lock().unwrap();
+    stored_proxies
+      .get(proxy_id)
+      .is_some_and(|p| p.is_cloud_managed || p.is_cloud_derived)
+  }
+
  // Get proxy settings for a stored proxy ID
  pub fn get_proxy_settings_by_id(&self, proxy_id: &str) -> Option<ProxySettings> {
    let stored_proxies = self.stored_proxies.lock().unwrap();
@@ -1184,6 +1192,7 @@ impl ProxyManager {
    proxy_settings: Option<&ProxySettings>,
    browser_pid: u32,
    profile_id: Option<&str>,
+    bypass_rules: Vec<String>,
  ) -> Result<ProxySettings, String> {
    if let Some(name) = profile_id {
      // Check if we have an active proxy recorded for this profile
@@ -1304,6 +1313,13 @@ impl ProxyManager {
      proxy_cmd = proxy_cmd.arg("--profile-id").arg(id);
    }

+    // Add bypass rules if any
+    if !bypass_rules.is_empty() {
+      let rules_json = serde_json::to_string(&bypass_rules)
+        .map_err(|e| format!("Failed to serialize bypass rules: {e}"))?;
+      proxy_cmd = proxy_cmd.arg("--bypass-rules").arg(rules_json);
+    }
+
    // Execute the command and wait for it to complete
    // The donut-proxy binary should start the worker and then exit
    let output = proxy_cmd
@@ -12,13 +12,14 @@ pub async fn start_proxy_process(
  upstream_url: Option<String>,
  port: Option<u16>,
 ) -> Result<ProxyConfig, Box<dyn std::error::Error>> {
-  start_proxy_process_with_profile(upstream_url, port, None).await
+  start_proxy_process_with_profile(upstream_url, port, None, Vec::new()).await
 }

 pub async fn start_proxy_process_with_profile(
  upstream_url: Option<String>,
  port: Option<u16>,
  profile_id: Option<String>,
+  bypass_rules: Vec<String>,
 ) -> Result<ProxyConfig, Box<dyn std::error::Error>> {
  let id = generate_proxy_id();
  let upstream = upstream_url.unwrap_or_else(|| "DIRECT".to_string());
@@ -30,8 +31,9 @@ pub async fn start_proxy_process_with_profile(
    listener.local_addr().unwrap().port()
  });

-  let config =
-    ProxyConfig::new(id.clone(), upstream, Some(local_port)).with_profile_id(profile_id.clone());
+  let config = ProxyConfig::new(id.clone(), upstream, Some(local_port))
+    .with_profile_id(profile_id.clone())
+    .with_bypass_rules(bypass_rules);
  save_proxy_config(&config)?;

  // Log profile_id for debugging
@@ -6,6 +6,7 @@ use hyper::server::conn::http1;
 use hyper::service::service_fn;
 use hyper::{Method, Request, Response, StatusCode};
 use hyper_util::rt::TokioIo;
+use regex_lite::Regex;
 use std::convert::Infallible;
 use std::io;
 use std::net::SocketAddr;
@@ -18,6 +19,38 @@ use tokio::net::TcpListener;
 use tokio::net::TcpStream;
 use url::Url;

+enum CompiledRule {
+  Regex(Regex),
+  Exact(String),
+}
+
+#[derive(Clone)]
+pub struct BypassMatcher {
+  rules: Arc<Vec<CompiledRule>>,
+}
+
+impl BypassMatcher {
+  pub fn new(rules: &[String]) -> Self {
+    let compiled = rules
+      .iter()
+      .map(|rule| match Regex::new(rule) {
+        Ok(re) => CompiledRule::Regex(re),
+        Err(_) => CompiledRule::Exact(rule.clone()),
+      })
+      .collect();
+    Self {
+      rules: Arc::new(compiled),
+    }
+  }
+
+  pub fn should_bypass(&self, host: &str) -> bool {
+    self.rules.iter().any(|rule| match rule {
+      CompiledRule::Regex(re) => re.is_match(host),
+      CompiledRule::Exact(exact) => host == exact,
+    })
+  }
+}
+
 /// Wrapper stream that counts bytes read and written
 struct CountingStream<S> {
  inner: S,
@@ -133,19 +166,21 @@ impl AsyncWrite for PrependReader {
 async fn handle_request(
  req: Request<hyper::body::Incoming>,
  upstream_url: Option<String>,
+  bypass_matcher: BypassMatcher,
 ) -> Result<Response<Full<Bytes>>, Infallible> {
  // Handle CONNECT method for HTTPS tunneling
  if req.method() == Method::CONNECT {
-    return handle_connect(req, upstream_url).await;
+    return handle_connect(req, upstream_url, bypass_matcher).await;
  }

  // Handle regular HTTP requests
-  handle_http(req, upstream_url).await
+  handle_http(req, upstream_url, bypass_matcher).await
 }

 async fn handle_connect(
  req: Request<hyper::body::Incoming>,
  upstream_url: Option<String>,
+  bypass_matcher: BypassMatcher,
 ) -> Result<Response<Full<Bytes>>, Infallible> {
  let authority = req.uri().authority().cloned();

@@ -161,12 +196,13 @@ async fn handle_connect(
      (&target_addr[..], 443)
    };

-    // If no upstream proxy, connect directly
+    // If no upstream proxy, or bypass rule matches, connect directly
    if upstream_url.is_none()
      || upstream_url
        .as_ref()
        .map(|s| s == "DIRECT")
        .unwrap_or(false)
+      || bypass_matcher.should_bypass(target_host)
    {
      match TcpStream::connect(&target_addr).await {
        Ok(_stream) => {
@@ -674,6 +710,7 @@ async fn handle_http_via_socks4(
 async fn handle_http(
  req: Request<hyper::body::Incoming>,
  upstream_url: Option<String>,
+  bypass_matcher: BypassMatcher,
 ) -> Result<Response<Full<Bytes>>, Infallible> {
  // Extract domain for traffic tracking
  let domain = req
@@ -689,13 +726,17 @@ async fn handle_http(
    req.uri().host()
  );

+  let should_bypass = bypass_matcher.should_bypass(&domain);
+
  // Check if we need to handle SOCKS4 manually (reqwest doesn't support it)
-  if let Some(ref upstream) = upstream_url {
-    if upstream != "DIRECT" {
-      if let Ok(url) = Url::parse(upstream) {
-        if url.scheme() == "socks4" {
-          // Handle SOCKS4 manually for HTTP requests
-          return handle_http_via_socks4(req, upstream).await;
+  if !should_bypass {
+    if let Some(ref upstream) = upstream_url {
+      if upstream != "DIRECT" {
+        if let Ok(url) = Url::parse(upstream) {
+          if url.scheme() == "socks4" {
+            // Handle SOCKS4 manually for HTTP requests
+            return handle_http_via_socks4(req, upstream).await;
+          }
        }
      }
    }
@@ -705,7 +746,9 @@ async fn handle_http(
  use reqwest::Client;

  let client_builder = Client::builder();
-  let client = if let Some(ref upstream) = upstream_url {
+  let client = if should_bypass {
+    client_builder.build().unwrap_or_default()
+  } else if let Some(ref upstream) = upstream_url {
    if upstream == "DIRECT" {
      client_builder.build().unwrap_or_default()
    } else {
@@ -1003,6 +1046,8 @@ pub async fn run_proxy_server(config: ProxyConfig) -> Result<(), Box<dyn std::er
    }
  });

+  let bypass_matcher = BypassMatcher::new(&config.bypass_rules);
+
  // Keep the runtime alive with an infinite loop
  // This ensures the process doesn't exit even if there are no active connections
  loop {
@@ -1014,6 +1059,7 @@ pub async fn run_proxy_server(config: ProxyConfig) -> Result<(), Box<dyn std::er
        log::error!("DEBUG: Accepted connection from {:?}", peer_addr);

        let upstream = upstream_url.clone();
+        let matcher = bypass_matcher.clone();

        tokio::task::spawn(async move {
          // Read first bytes to detect CONNECT requests
@@ -1108,7 +1154,9 @@ pub async fn run_proxy_server(config: ProxyConfig) -> Result<(), Box<dyn std::er
                  "DEBUG: Handling CONNECT manually for: {}",
                  String::from_utf8_lossy(&full_request[..full_request.len().min(200)])
                );
-                if let Err(e) = handle_connect_from_buffer(stream, full_request, upstream).await {
+                if let Err(e) =
+                  handle_connect_from_buffer(stream, full_request, upstream, matcher).await
+                {
                  log::error!("Error handling CONNECT request: {:?}", e);
                } else {
                  log::error!("DEBUG: CONNECT handled successfully");
@@ -1130,7 +1178,8 @@ pub async fn run_proxy_server(config: ProxyConfig) -> Result<(), Box<dyn std::er
                inner: stream,
              };
              let io = TokioIo::new(prepended_reader);
-              let service = service_fn(move |req| handle_request(req, upstream.clone()));
+              let service =
+                service_fn(move |req| handle_request(req, upstream.clone(), matcher.clone()));

              if let Err(err) = http1::Builder::new().serve_connection(io, service).await {
                log::error!("Error serving connection: {:?}", err);
@@ -1156,6 +1205,7 @@ async fn handle_connect_from_buffer(
  mut client_stream: TcpStream,
  request_buffer: Vec<u8>,
  upstream_url: Option<String>,
+  bypass_matcher: BypassMatcher,
 ) -> Result<(), Box<dyn std::error::Error>> {
  // Parse the CONNECT request from the buffer
  let request_str = String::from_utf8_lossy(&request_buffer);
@@ -1193,6 +1243,7 @@ async fn handle_connect_from_buffer(
  }

  // Connect to target (directly or via upstream proxy)
+  let should_bypass = bypass_matcher.should_bypass(target_host);
  let target_stream = match upstream_url.as_ref() {
    None => {
      // Direct connection
@@ -1202,6 +1253,10 @@ async fn handle_connect_from_buffer(
      // Direct connection
      TcpStream::connect((target_host, target_port)).await?
    }
+    _ if should_bypass => {
+      // Bypass rule matched - connect directly
+      TcpStream::connect((target_host, target_port)).await?
+    }
    Some(upstream_url_str) => {
      // Connect via upstream proxy
      let upstream = Url::parse(upstream_url_str)?;
@@ -12,6 +12,8 @@ pub struct ProxyConfig {
  pub pid: Option<u32>,
  #[serde(default)]
  pub profile_id: Option<String>,
+  #[serde(default)]
+  pub bypass_rules: Vec<String>,
 }

 impl ProxyConfig {
@@ -24,6 +26,7 @@ impl ProxyConfig {
      local_url: None,
      pid: None,
      profile_id: None,
+      bypass_rules: Vec::new(),
    }
  }

@@ -31,6 +34,11 @@ impl ProxyConfig {
    self.profile_id = profile_id;
    self
  }
+
+  pub fn with_bypass_rules(mut self, bypass_rules: Vec<String>) -> Self {
+    self.bypass_rules = bypass_rules;
+    self
+  }
 }

 pub fn get_storage_dir() -> PathBuf {
@@ -123,7 +131,9 @@ pub fn generate_proxy_id() -> String {
 }

 pub fn is_process_running(pid: u32) -> bool {
-  use sysinfo::{Pid, System};
-  let system = System::new();
-  system.process(Pid::from(pid as usize)).is_some()
+  use sysinfo::{ProcessRefreshKind, RefreshKind, System};
+  let system = System::new_with_specifics(
+    RefreshKind::nothing().with_processes(ProcessRefreshKind::everything()),
+  );
+  system.process(sysinfo::Pid::from_u32(pid)).is_some()
 }
@@ -128,23 +128,10 @@ impl SettingsManager {

    // Parse the settings file - serde will use default values for missing fields
    match serde_json::from_str::<AppSettings>(&content) {
-      Ok(settings) => {
-        // Save the settings back to ensure any missing fields are written with defaults
-        if let Err(e) = self.save_settings(&settings) {
-          log::warn!("Warning: Failed to update settings file with defaults: {e}");
-        }
-        Ok(settings)
-      }
+      Ok(settings) => Ok(settings),
      Err(e) => {
        log::warn!("Warning: Failed to parse settings file, using defaults: {e}");
-        let default_settings = AppSettings::default();
-
-        // Try to save default settings to fix the corrupted file
-        if let Err(save_error) = self.save_settings(&default_settings) {
-          log::warn!("Warning: Failed to save default settings: {save_error}");
-        }
-
-        Ok(default_settings)
+        Ok(AppSettings::default())
      }
    }
  }
@@ -67,6 +67,23 @@ impl SyncEngine {
    Ok(Self::new(server_url, token))
  }

+  /// Get the key prefix for team profiles. Returns empty string for personal profiles.
+  async fn get_team_key_prefix(profile: &BrowserProfile) -> String {
+    if profile.created_by_id.is_some() {
+      if let Some(auth) = crate::cloud_auth::CLOUD_AUTH.get_user().await {
+        if let Some(team_id) = &auth.user.team_id {
+          return format!("teams/{}/", team_id);
+        }
+      }
+    }
+    String::new()
+  }
+
+  /// Check if this is a self-hosted sync (no cloud login).
+  async fn is_self_hosted_sync() -> bool {
+    !crate::cloud_auth::CLOUD_AUTH.is_logged_in().await
+  }
+
  pub async fn sync_profile(
    &self,
    app_handle: &tauri::AppHandle,
@@ -81,6 +98,16 @@ impl SyncEngine {
      return Ok(());
    }

+    // Skip team profiles for self-hosted sync
+    if Self::is_self_hosted_sync().await && profile.created_by_id.is_some() {
+      log::info!(
+        "Skipping team profile for self-hosted sync: {} ({})",
+        profile.name,
+        profile.id
+      );
+      return Ok(());
+    }
+
    // Derive encryption key if encrypted sync
    let encryption_key = if profile.is_encrypted_sync() {
      let password = encryption::load_e2e_password()
@@ -104,10 +131,18 @@ impl SyncEngine {
    let profile_dir = profiles_dir.join(profile.id.to_string());
    let profile_id = profile.id.to_string();

+    // Determine team key prefix for team profiles
+    let key_prefix = Self::get_team_key_prefix(profile).await;
+
    log::info!(
-      "Starting delta sync for profile: {} ({})",
+      "Starting delta sync for profile: {} ({}){}",
      profile.name,
-      profile_id
+      profile_id,
+      if key_prefix.is_empty() {
+        String::new()
+      } else {
+        format!(" [team prefix: {}]", key_prefix)
+      }
    );

    let _ = events::emit(
@@ -155,7 +190,7 @@ impl SyncEngine {
    hash_cache.save(&cache_path)?;

    // Try to download remote manifest
-    let remote_manifest_key = format!("profiles/{}/manifest.json", profile_id);
+    let remote_manifest_key = format!("{}profiles/{}/manifest.json", key_prefix, profile_id);
    let remote_manifest = self.download_manifest(&remote_manifest_key).await?;

    // Compute diff
@@ -173,6 +208,13 @@ impl SyncEngine {
      return Ok(());
    }

+    let upload_bytes: u64 = diff.files_to_upload.iter().map(|f| f.size).sum();
+    let download_bytes: u64 = diff.files_to_download.iter().map(|f| f.size).sum();
+    let total_files = diff.files_to_upload.len()
+      + diff.files_to_download.len()
+      + diff.files_to_delete_local.len()
+      + diff.files_to_delete_remote.len();
+
    log::info!(
      "Profile {} diff: {} to upload, {} to download, {} to delete local, {} to delete remote",
      profile_id,
@@ -182,6 +224,16 @@ impl SyncEngine {
      diff.files_to_delete_remote.len()
    );

+    let _ = events::emit(
+      "profile-sync-progress",
+      serde_json::json!({
+        "profile_id": profile_id,
+        "phase": "started",
+        "total_files": total_files,
+        "total_bytes": upload_bytes + download_bytes
+      }),
+    );
+
    // Perform uploads
    if !diff.files_to_upload.is_empty() {
      self
@@ -191,6 +243,7 @@ impl SyncEngine {
          &profile_dir,
          &diff.files_to_upload,
          encryption_key.as_ref(),
+          &key_prefix,
        )
        .await?;
    }
@@ -204,6 +257,7 @@ impl SyncEngine {
          &profile_dir,
          &diff.files_to_download,
          encryption_key.as_ref(),
+          &key_prefix,
        )
        .await?;
    }
@@ -219,18 +273,22 @@ impl SyncEngine {

    // Delete remote files that don't exist locally (when local is newer)
    for path in &diff.files_to_delete_remote {
-      let remote_key = format!("profiles/{}/files/{}", profile_id, path);
+      let remote_key = format!("{}profiles/{}/files/{}", key_prefix, profile_id, path);
      let _ = self.client.delete(&remote_key, None).await;
      log::debug!("Deleted remote file: {}", path);
    }

    // Upload metadata.json (sanitized profile)
-    self.upload_profile_metadata(&profile_id, profile).await?;
+    self
+      .upload_profile_metadata(&profile_id, profile, &key_prefix)
+      .await?;

    // Upload manifest.json last for atomicity
    let mut final_manifest = local_manifest;
    final_manifest.encrypted = encryption_key.is_some();
-    self.upload_manifest(&profile_id, &final_manifest).await?;
+    self
+      .upload_manifest(&profile_id, &final_manifest, &key_prefix)
+      .await?;

    // Sync associated proxy, group, and VPN
    if let Some(proxy_id) = &profile.proxy_id {
@@ -281,11 +339,16 @@ impl SyncEngine {
    Ok(Some(manifest))
  }

-  async fn upload_manifest(&self, profile_id: &str, manifest: &SyncManifest) -> SyncResult<()> {
+  async fn upload_manifest(
+    &self,
+    profile_id: &str,
+    manifest: &SyncManifest,
+    key_prefix: &str,
+  ) -> SyncResult<()> {
    let json = serde_json::to_string_pretty(manifest)
      .map_err(|e| SyncError::SerializationError(format!("Failed to serialize manifest: {e}")))?;

-    let remote_key = format!("profiles/{}/manifest.json", profile_id);
+    let remote_key = format!("{}profiles/{}/manifest.json", key_prefix, profile_id);
    let presign = self
      .client
      .presign_upload(&remote_key, Some("application/json"))
@@ -303,6 +366,7 @@ impl SyncEngine {
    &self,
    profile_id: &str,
    profile: &BrowserProfile,
+    key_prefix: &str,
  ) -> SyncResult<()> {
    let mut sanitized = profile.clone();
    sanitized.process_id = None;
@@ -311,7 +375,7 @@ impl SyncEngine {
    let json = serde_json::to_string_pretty(&sanitized)
      .map_err(|e| SyncError::SerializationError(format!("Failed to serialize profile: {e}")))?;

-    let remote_key = format!("profiles/{}/metadata.json", profile_id);
+    let remote_key = format!("{}profiles/{}/metadata.json", key_prefix, profile_id);
    let presign = self
      .client
      .presign_upload(&remote_key, Some("application/json"))
@@ -332,6 +396,7 @@ impl SyncEngine {
    profile_dir: &Path,
    files: &[super::manifest::ManifestFileEntry],
    encryption_key: Option<&[u8; 32]>,
+    key_prefix: &str,
  ) -> SyncResult<()> {
    if files.is_empty() {
      return Ok(());
@@ -343,7 +408,7 @@ impl SyncEngine {
    let items: Vec<(String, Option<String>)> = files
      .iter()
      .map(|f| {
-        let key = format!("profiles/{}/files/{}", profile_id, f.path);
+        let key = format!("{}profiles/{}/files/{}", key_prefix, profile_id, f.path);
        let content_type = mime_guess::from_path(&f.path)
          .first()
          .map(|m| m.to_string());
@@ -372,7 +437,7 @@ impl SyncEngine {
    for file in files {
      let sem = semaphore.clone();
      let file_path = profile_dir.join(&file.path);
-      let remote_key = format!("profiles/{}/files/{}", profile_id, file.path);
+      let remote_key = format!("{}profiles/{}/files/{}", key_prefix, profile_id, file.path);
      let url = url_map.get(&remote_key).cloned();

      if url.is_none() {
@@ -442,6 +507,7 @@ impl SyncEngine {
    profile_dir: &Path,
    files: &[super::manifest::ManifestFileEntry],
    encryption_key: Option<&[u8; 32]>,
+    key_prefix: &str,
  ) -> SyncResult<()> {
    if files.is_empty() {
      return Ok(());
@@ -456,7 +522,7 @@ impl SyncEngine {
    // Get batch presigned URLs
    let keys: Vec<String> = files
      .iter()
-      .map(|f| format!("profiles/{}/files/{}", profile_id, f.path))
+      .map(|f| format!("{}profiles/{}/files/{}", key_prefix, profile_id, f.path))
      .collect();

    let batch_response = self.client.presign_download_batch(keys).await?;
@@ -480,7 +546,7 @@ impl SyncEngine {
    for file in files {
      let sem = semaphore.clone();
      let file_path = profile_dir.join(&file.path);
-      let remote_key = format!("profiles/{}/files/{}", profile_id, file.path);
+      let remote_key = format!("{}profiles/{}/files/{}", key_prefix, profile_id, file.path);
      let url = url_map.get(&remote_key).cloned();

      if url.is_none() {
@@ -845,6 +911,26 @@ impl SyncEngine {
      profile_id,
      result.deleted_count
    );
+
+    // Also delete from team path if user is on a team
+    if let Some(auth) = crate::cloud_auth::CLOUD_AUTH.get_user().await {
+      if let Some(team_id) = &auth.user.team_id {
+        let team_prefix = format!("teams/{}/profiles/{}/", team_id, profile_id);
+        let team_tombstone = format!("teams/{}/tombstones/profiles/{}.json", team_id, profile_id);
+        let team_result = self
+          .client
+          .delete_prefix(&team_prefix, Some(&team_tombstone))
+          .await?;
+        if team_result.deleted_count > 0 {
+          log::info!(
+            "Profile {} deleted from team sync ({} objects removed)",
+            profile_id,
+            team_result.deleted_count
+          );
+        }
+      }
+    }
+
    Ok(())
  }

@@ -1013,11 +1099,353 @@ impl SyncEngine {
    Ok(())
  }

+  // Extension sync
+
+  async fn sync_extension(
+    &self,
+    ext_id: &str,
+    app_handle: Option<&tauri::AppHandle>,
+  ) -> SyncResult<()> {
+    let local_ext = {
+      let manager = crate::extension_manager::EXTENSION_MANAGER.lock().unwrap();
+      manager.get_extension(ext_id).ok()
+    };
+
+    let remote_key = format!("extensions/{}.json", ext_id);
+    let stat = self.client.stat(&remote_key).await?;
+
+    match (local_ext, stat.exists) {
+      (Some(ext), true) => {
+        let local_updated = ext.last_sync.unwrap_or(0);
+        let remote_updated: DateTime<Utc> = stat
+          .last_modified
+          .as_ref()
+          .and_then(|s| DateTime::parse_from_rfc3339(s).ok())
+          .map(|dt| dt.with_timezone(&Utc))
+          .unwrap_or_else(Utc::now);
+        let remote_ts = remote_updated.timestamp() as u64;
+
+        if remote_ts > local_updated {
+          self.download_extension(ext_id, app_handle).await?;
+        } else if local_updated > remote_ts {
+          self.upload_extension(&ext).await?;
+        }
+      }
+      (Some(ext), false) => {
+        self.upload_extension(&ext).await?;
+      }
+      (None, true) => {
+        self.download_extension(ext_id, app_handle).await?;
+      }
+      (None, false) => {
+        log::debug!("Extension {} not found locally or remotely", ext_id);
+      }
+    }
+
+    Ok(())
+  }
+
+  async fn upload_extension(&self, ext: &crate::extension_manager::Extension) -> SyncResult<()> {
+    let now = std::time::SystemTime::now()
+      .duration_since(std::time::UNIX_EPOCH)
+      .unwrap()
+      .as_secs();
+
+    let mut updated_ext = ext.clone();
+    updated_ext.last_sync = Some(now);
+
+    let json = serde_json::to_string_pretty(&updated_ext)
+      .map_err(|e| SyncError::SerializationError(format!("Failed to serialize extension: {e}")))?;
+
+    let remote_key = format!("extensions/{}.json", ext.id);
+    let presign = self
+      .client
+      .presign_upload(&remote_key, Some("application/json"))
+      .await?;
+    self
+      .client
+      .upload_bytes(&presign.url, json.as_bytes(), Some("application/json"))
+      .await?;
+
+    // Also upload the extension file data
+    let file_path = {
+      let manager = crate::extension_manager::EXTENSION_MANAGER.lock().unwrap();
+      let file_dir = manager.get_file_dir_public(&ext.id);
+      file_dir.join(&ext.file_name)
+    };
+
+    if file_path.exists() {
+      let file_data = fs::read(&file_path).map_err(|e| {
+        SyncError::IoError(format!(
+          "Failed to read extension file {}: {e}",
+          file_path.display()
+        ))
+      })?;
+
+      let file_remote_key = format!("extensions/{}/file/{}", ext.id, ext.file_name);
+      let file_presign = self
+        .client
+        .presign_upload(&file_remote_key, Some("application/octet-stream"))
+        .await?;
+      self
+        .client
+        .upload_bytes(
+          &file_presign.url,
+          &file_data,
+          Some("application/octet-stream"),
+        )
+        .await?;
+    }
+
+    // Update local extension with new last_sync
+    {
+      let manager = crate::extension_manager::EXTENSION_MANAGER.lock().unwrap();
+      if let Err(e) = manager.update_extension_internal(&updated_ext) {
+        log::warn!("Failed to update extension last_sync: {}", e);
+      }
+    }
+
+    log::info!("Extension {} uploaded", ext.id);
+    Ok(())
+  }
+
+  async fn download_extension(
+    &self,
+    ext_id: &str,
+    app_handle: Option<&tauri::AppHandle>,
+  ) -> SyncResult<()> {
+    let remote_key = format!("extensions/{}.json", ext_id);
+    let presign = self.client.presign_download(&remote_key).await?;
+    let data = self.client.download_bytes(&presign.url).await?;
+
+    let mut ext: crate::extension_manager::Extension = serde_json::from_slice(&data)
+      .map_err(|e| SyncError::SerializationError(format!("Failed to parse extension JSON: {e}")))?;
+
+    ext.last_sync = Some(
+      std::time::SystemTime::now()
+        .duration_since(std::time::UNIX_EPOCH)
+        .unwrap()
+        .as_secs(),
+    );
+    ext.sync_enabled = true;
+
+    // Download the extension file
+    let file_remote_key = format!("extensions/{}/file/{}", ext.id, ext.file_name);
+    let file_stat = self.client.stat(&file_remote_key).await?;
+    if file_stat.exists {
+      let file_presign = self.client.presign_download(&file_remote_key).await?;
+      let file_data = self.client.download_bytes(&file_presign.url).await?;
+
+      let manager = crate::extension_manager::EXTENSION_MANAGER.lock().unwrap();
+      let file_dir = manager.get_file_dir_public(&ext.id);
+      drop(manager);
+
+      fs::create_dir_all(&file_dir).map_err(|e| {
+        SyncError::IoError(format!(
+          "Failed to create extension file dir {}: {e}",
+          file_dir.display()
+        ))
+      })?;
+      let file_path = file_dir.join(&ext.file_name);
+      fs::write(&file_path, &file_data).map_err(|e| {
+        SyncError::IoError(format!(
+          "Failed to write extension file {}: {e}",
+          file_path.display()
+        ))
+      })?;
+    }
+
+    // Save or update local extension
+    {
+      let manager = crate::extension_manager::EXTENSION_MANAGER.lock().unwrap();
+      if let Err(e) = manager.upsert_extension_internal(&ext) {
+        log::warn!("Failed to save downloaded extension: {}", e);
+      }
+    }
+
+    if let Some(_handle) = app_handle {
+      let _ = events::emit("extensions-changed", ());
+    }
+
+    log::info!("Extension {} downloaded", ext_id);
+    Ok(())
+  }
+
+  pub async fn sync_extension_by_id_with_handle(
+    &self,
+    ext_id: &str,
+    app_handle: &tauri::AppHandle,
+  ) -> SyncResult<()> {
+    self.sync_extension(ext_id, Some(app_handle)).await
+  }
+
+  pub async fn delete_extension(&self, ext_id: &str) -> SyncResult<()> {
+    let remote_key = format!("extensions/{}.json", ext_id);
+    let file_prefix = format!("extensions/{}/file/", ext_id);
+    let tombstone_key = format!("tombstones/extensions/{}.json", ext_id);
+
+    // Delete metadata
+    self
+      .client
+      .delete(&remote_key, Some(&tombstone_key))
+      .await?;
+
+    // Delete file data
+    let _ = self.client.delete_prefix(&file_prefix, None).await;
+
+    log::info!("Extension {} deleted from sync", ext_id);
+    Ok(())
+  }
+
+  // Extension group sync
+
+  async fn sync_extension_group(
+    &self,
+    group_id: &str,
+    app_handle: Option<&tauri::AppHandle>,
+  ) -> SyncResult<()> {
+    let local_group = {
+      let manager = crate::extension_manager::EXTENSION_MANAGER.lock().unwrap();
+      manager.get_group(group_id).ok()
+    };
+
+    let remote_key = format!("extension_groups/{}.json", group_id);
+    let stat = self.client.stat(&remote_key).await?;
+
+    match (local_group, stat.exists) {
+      (Some(group), true) => {
+        let local_updated = group.last_sync.unwrap_or(0);
+        let remote_updated: DateTime<Utc> = stat
+          .last_modified
+          .as_ref()
+          .and_then(|s| DateTime::parse_from_rfc3339(s).ok())
+          .map(|dt| dt.with_timezone(&Utc))
+          .unwrap_or_else(Utc::now);
+        let remote_ts = remote_updated.timestamp() as u64;
+
+        if remote_ts > local_updated {
+          self.download_extension_group(group_id, app_handle).await?;
+        } else if local_updated > remote_ts {
+          self.upload_extension_group(&group).await?;
+        }
+      }
+      (Some(group), false) => {
+        self.upload_extension_group(&group).await?;
+      }
+      (None, true) => {
+        self.download_extension_group(group_id, app_handle).await?;
+      }
+      (None, false) => {
+        log::debug!("Extension group {} not found locally or remotely", group_id);
+      }
+    }
+
+    Ok(())
+  }
+
+  async fn upload_extension_group(
+    &self,
+    group: &crate::extension_manager::ExtensionGroup,
+  ) -> SyncResult<()> {
+    let now = std::time::SystemTime::now()
+      .duration_since(std::time::UNIX_EPOCH)
+      .unwrap()
+      .as_secs();
+
+    let mut updated_group = group.clone();
+    updated_group.last_sync = Some(now);
+
+    let json = serde_json::to_string_pretty(&updated_group).map_err(|e| {
+      SyncError::SerializationError(format!("Failed to serialize extension group: {e}"))
+    })?;
+
+    let remote_key = format!("extension_groups/{}.json", group.id);
+    let presign = self
+      .client
+      .presign_upload(&remote_key, Some("application/json"))
+      .await?;
+    self
+      .client
+      .upload_bytes(&presign.url, json.as_bytes(), Some("application/json"))
+      .await?;
+
+    // Update local group with new last_sync
+    {
+      let manager = crate::extension_manager::EXTENSION_MANAGER.lock().unwrap();
+      if let Err(e) = manager.update_group_internal(&updated_group) {
+        log::warn!("Failed to update extension group last_sync: {}", e);
+      }
+    }
+
+    log::info!("Extension group {} uploaded", group.id);
+    Ok(())
+  }
+
+  async fn download_extension_group(
+    &self,
+    group_id: &str,
+    app_handle: Option<&tauri::AppHandle>,
+  ) -> SyncResult<()> {
+    let remote_key = format!("extension_groups/{}.json", group_id);
+    let presign = self.client.presign_download(&remote_key).await?;
+    let data = self.client.download_bytes(&presign.url).await?;
+
+    let mut group: crate::extension_manager::ExtensionGroup = serde_json::from_slice(&data)
+      .map_err(|e| {
+        SyncError::SerializationError(format!("Failed to parse extension group JSON: {e}"))
+      })?;
+
+    group.last_sync = Some(
+      std::time::SystemTime::now()
+        .duration_since(std::time::UNIX_EPOCH)
+        .unwrap()
+        .as_secs(),
+    );
+    group.sync_enabled = true;
+
+    // Save or update local group
+    {
+      let manager = crate::extension_manager::EXTENSION_MANAGER.lock().unwrap();
+      if let Err(e) = manager.upsert_group_internal(&group) {
+        log::warn!("Failed to save downloaded extension group: {}", e);
+      }
+    }
+
+    if let Some(_handle) = app_handle {
+      let _ = events::emit("extensions-changed", ());
+    }
+
+    log::info!("Extension group {} downloaded", group_id);
+    Ok(())
+  }
+
+  pub async fn sync_extension_group_by_id_with_handle(
+    &self,
+    group_id: &str,
+    app_handle: &tauri::AppHandle,
+  ) -> SyncResult<()> {
+    self.sync_extension_group(group_id, Some(app_handle)).await
+  }
+
+  pub async fn delete_extension_group(&self, group_id: &str) -> SyncResult<()> {
+    let remote_key = format!("extension_groups/{}.json", group_id);
+    let tombstone_key = format!("tombstones/extension_groups/{}.json", group_id);
+
+    self
+      .client
+      .delete(&remote_key, Some(&tombstone_key))
+      .await?;
+
+    log::info!("Extension group {} deleted from sync", group_id);
+    Ok(())
+  }
+
  /// Download a profile from S3 if it exists remotely but not locally
  pub async fn download_profile_if_missing(
    &self,
    app_handle: &tauri::AppHandle,
    profile_id: &str,
+    key_prefix: &str,
  ) -> SyncResult<bool> {
    let profile_manager = ProfileManager::instance();
    let profiles_dir = profile_manager.get_profiles_dir();
@@ -1039,7 +1467,7 @@ impl SyncEngine {
    }

    // Check if profile exists remotely
-    let manifest_key = format!("profiles/{}/manifest.json", profile_id);
+    let manifest_key = format!("{}profiles/{}/manifest.json", key_prefix, profile_id);
    let stat = self.client.stat(&manifest_key).await?;

    if !stat.exists {
@@ -1053,7 +1481,7 @@ impl SyncEngine {
    );

    // Download metadata.json first to get profile info
-    let metadata_key = format!("profiles/{}/metadata.json", profile_id);
+    let metadata_key = format!("{}profiles/{}/metadata.json", key_prefix, profile_id);
    let metadata_stat = self.client.stat(&metadata_key).await?;

    if !metadata_stat.exists {
@@ -1174,6 +1602,7 @@ impl SyncEngine {
          &profile_dir,
          &manifest.files,
          encryption_key.as_ref(),
+          key_prefix,
        )
        .await?;
    }
@@ -1217,13 +1646,13 @@ impl SyncEngine {
  ) -> SyncResult<Vec<String>> {
    log::info!("Checking for missing synced profiles...");

-    // List all profiles from S3
+    // List personal profiles from S3
    let list_response = self.client.list("profiles/").await?;

    let mut downloaded: Vec<String> = Vec::new();

-    // Extract unique profile IDs from the list
-    let mut profile_ids: std::collections::HashSet<String> = std::collections::HashSet::new();
+    // Extract unique profile IDs with their key prefix
+    let mut profiles_to_check: HashMap<String, String> = HashMap::new();
    for obj in list_response.objects {
      if obj.key.starts_with("profiles/") && obj.key.ends_with("/manifest.json") {
        if let Some(profile_id) = obj
@@ -1231,24 +1660,45 @@ impl SyncEngine {
          .strip_prefix("profiles/")
          .and_then(|s| s.strip_suffix("/manifest.json"))
        {
-          profile_ids.insert(profile_id.to_string());
+          profiles_to_check.insert(profile_id.to_string(), String::new());
+        }
+      }
+    }
+
+    // Also list team profiles if user is on a team
+    if let Some(auth) = crate::cloud_auth::CLOUD_AUTH.get_user().await {
+      if let Some(team_id) = &auth.user.team_id {
+        let team_prefix = format!("teams/{}/", team_id);
+        let team_list_key = format!("{}profiles/", team_prefix);
+        if let Ok(team_list) = self.client.list(&team_list_key).await {
+          for obj in team_list.objects {
+            if obj.key.starts_with("profiles/") && obj.key.ends_with("/manifest.json") {
+              if let Some(profile_id) = obj
+                .key
+                .strip_prefix("profiles/")
+                .and_then(|s| s.strip_suffix("/manifest.json"))
+              {
+                profiles_to_check.insert(profile_id.to_string(), team_prefix.clone());
+              }
+            }
+          }
        }
      }
    }

    log::info!(
      "Found {} profiles in remote storage, checking for missing ones...",
-      profile_ids.len()
+      profiles_to_check.len()
    );

    // For each remote profile, check if it exists locally and download if missing
-    for profile_id in profile_ids {
+    for (profile_id, key_prefix) in &profiles_to_check {
      match self
-        .download_profile_if_missing(app_handle, &profile_id)
+        .download_profile_if_missing(app_handle, profile_id, key_prefix)
        .await
      {
        Ok(true) => {
-          downloaded.push(profile_id);
+          downloaded.push(profile_id.clone());
        }
        Ok(false) => {
          // Profile exists locally or doesn't exist remotely, skip
@@ -1272,17 +1722,28 @@ impl SyncEngine {
    // Refresh metadata for local cross-OS profiles (propagate renames, tags, notes from originating device)
    let profile_manager = ProfileManager::instance();
    // Collect cross-OS profiles before async operations to avoid holding non-Send Result across await
-    let cross_os_profiles: Vec<(String, SyncMode)> = profile_manager
+    let cross_os_profiles: Vec<(String, SyncMode, Option<String>)> = profile_manager
      .list_profiles()
      .unwrap_or_default()
      .iter()
      .filter(|p| p.is_cross_os() && p.is_sync_enabled())
-      .map(|p| (p.id.to_string(), p.sync_mode))
+      .map(|p| (p.id.to_string(), p.sync_mode, p.created_by_id.clone()))
      .collect();

    if !cross_os_profiles.is_empty() {
-      for (pid, sync_mode) in &cross_os_profiles {
-        let metadata_key = format!("profiles/{}/metadata.json", pid);
+      let team_prefix = if let Some(auth) = crate::cloud_auth::CLOUD_AUTH.get_user().await {
+        auth.user.team_id.map(|tid| format!("teams/{}/", tid))
+      } else {
+        None
+      };
+
+      for (pid, sync_mode, created_by_id) in &cross_os_profiles {
+        let kp = if created_by_id.is_some() {
+          team_prefix.as_deref().unwrap_or("")
+        } else {
+          ""
+        };
+        let metadata_key = format!("{}profiles/{}/metadata.json", kp, pid);
        match self.client.stat(&metadata_key).await {
          Ok(stat) if stat.exists => match self.client.presign_download(&metadata_key).await {
            Ok(presign) => match self.client.download_bytes(&presign.url).await {
@@ -1626,8 +2087,15 @@ pub async fn set_profile_sync_mode(
    }
  }

-  // If switching to Encrypted, verify password and generate salt
+  // If switching to Encrypted, verify eligibility, password, and generate salt
  if new_mode == SyncMode::Encrypted {
+    // Only pro users and team owners can enable encryption
+    if let Some(state) = crate::cloud_auth::CLOUD_AUTH.get_user().await {
+      if state.user.plan == "team" && state.user.team_role.as_deref() != Some("owner") {
+        return Err("Profile encryption is available for Pro users and team owners.".to_string());
+      }
+    }
+
    if !encryption::has_e2e_password() {
      return Err("E2E password not set. Please set a password in Settings first.".to_string());
    }
@@ -1640,7 +2108,8 @@ pub async fn set_profile_sync_mode(
  let mode_switched = old_mode != SyncMode::Disabled && enabling && old_mode != new_mode;
  if mode_switched {
    if let Ok(engine) = SyncEngine::create_from_settings(&app_handle).await {
-      let manifest_key = format!("profiles/{}/manifest.json", profile_id);
+      let key_prefix = SyncEngine::get_team_key_prefix(&profile).await;
+      let manifest_key = format!("{}profiles/{}/manifest.json", key_prefix, profile_id);
      let _ = engine.client.delete(&manifest_key, None).await;
      log::info!(
        "Deleted remote manifest for profile {} due to sync mode change ({:?} -> {:?})",
@@ -2093,6 +2562,8 @@ pub struct UnsyncedEntityCounts {
  pub proxies: usize,
  pub groups: usize,
  pub vpns: usize,
+  pub extensions: usize,
+  pub extension_groups: usize,
 }

 #[tauri::command]
@@ -2121,10 +2592,28 @@ pub fn get_unsynced_entity_counts() -> Result<UnsyncedEntityCounts, String> {
    configs.iter().filter(|c| !c.sync_enabled).count()
  };

+  let extension_count = {
+    let em = crate::extension_manager::EXTENSION_MANAGER.lock().unwrap();
+    let exts = em
+      .list_extensions()
+      .map_err(|e| format!("Failed to list extensions: {e}"))?;
+    exts.iter().filter(|e| !e.sync_enabled).count()
+  };
+
+  let extension_group_count = {
+    let em = crate::extension_manager::EXTENSION_MANAGER.lock().unwrap();
+    let groups = em
+      .list_groups()
+      .map_err(|e| format!("Failed to list extension groups: {e}"))?;
+    groups.iter().filter(|g| !g.sync_enabled).count()
+  };
+
  Ok(UnsyncedEntityCounts {
    proxies: proxy_count,
    groups: group_count,
    vpns: vpn_count,
+    extensions: extension_count,
+    extension_groups: extension_group_count,
  })
 }

@@ -2169,5 +2658,147 @@ pub async fn enable_sync_for_all_entities(app_handle: tauri::AppHandle) -> Resul
    }
  }

+  // Enable sync for all unsynced extensions
+  {
+    let exts = {
+      let em = crate::extension_manager::EXTENSION_MANAGER.lock().unwrap();
+      em.list_extensions()
+        .map_err(|e| format!("Failed to list extensions: {e}"))?
+    };
+    for ext in &exts {
+      if !ext.sync_enabled {
+        set_extension_sync_enabled(app_handle.clone(), ext.id.clone(), true).await?;
+      }
+    }
+  }
+
+  // Enable sync for all unsynced extension groups
+  {
+    let groups = {
+      let em = crate::extension_manager::EXTENSION_MANAGER.lock().unwrap();
+      em.list_groups()
+        .map_err(|e| format!("Failed to list extension groups: {e}"))?
+    };
+    for group in &groups {
+      if !group.sync_enabled {
+        set_extension_group_sync_enabled(app_handle.clone(), group.id.clone(), true).await?;
+      }
+    }
+  }
+
+  Ok(())
+}
+
+#[tauri::command]
+pub async fn set_extension_sync_enabled(
+  app_handle: tauri::AppHandle,
+  extension_id: String,
+  enabled: bool,
+) -> Result<(), String> {
+  let ext = {
+    let manager = crate::extension_manager::EXTENSION_MANAGER.lock().unwrap();
+    manager
+      .get_extension(&extension_id)
+      .map_err(|e| format!("Extension with ID '{extension_id}' not found: {e}"))?
+  };
+
+  if enabled {
+    let cloud_logged_in = crate::cloud_auth::CLOUD_AUTH.is_logged_in().await;
+    if !cloud_logged_in {
+      let manager = SettingsManager::instance();
+      let settings = manager
+        .load_settings()
+        .map_err(|e| format!("Failed to load settings: {e}"))?;
+      if settings.sync_server_url.is_none() {
+        return Err(
+          "Sync server not configured. Please configure sync settings first.".to_string(),
+        );
+      }
+      let token = manager.get_sync_token(&app_handle).await.ok().flatten();
+      if token.is_none() {
+        return Err("Sync token not configured. Please configure sync settings first.".to_string());
+      }
+    }
+  }
+
+  let mut updated_ext = ext;
+  updated_ext.sync_enabled = enabled;
+  if !enabled {
+    updated_ext.last_sync = None;
+  }
+
+  {
+    let manager = crate::extension_manager::EXTENSION_MANAGER.lock().unwrap();
+    manager
+      .update_extension_internal(&updated_ext)
+      .map_err(|e| format!("Failed to update extension sync: {e}"))?;
+  }
+
+  let _ = events::emit("extensions-changed", ());
+
+  if enabled {
+    if let Some(scheduler) = super::get_global_scheduler() {
+      scheduler.queue_extension_sync(extension_id).await;
+    }
+  }
+
+  Ok(())
+}
+
+#[tauri::command]
+pub async fn set_extension_group_sync_enabled(
+  app_handle: tauri::AppHandle,
+  extension_group_id: String,
+  enabled: bool,
+) -> Result<(), String> {
+  let group = {
+    let manager = crate::extension_manager::EXTENSION_MANAGER.lock().unwrap();
+    manager
+      .get_group(&extension_group_id)
+      .map_err(|e| format!("Extension group with ID '{extension_group_id}' not found: {e}"))?
+  };
+
+  if enabled {
+    let cloud_logged_in = crate::cloud_auth::CLOUD_AUTH.is_logged_in().await;
+    if !cloud_logged_in {
+      let manager = SettingsManager::instance();
+      let settings = manager
+        .load_settings()
+        .map_err(|e| format!("Failed to load settings: {e}"))?;
+      if settings.sync_server_url.is_none() {
+        return Err(
+          "Sync server not configured. Please configure sync settings first.".to_string(),
+        );
+      }
+      let token = manager.get_sync_token(&app_handle).await.ok().flatten();
+      if token.is_none() {
+        return Err("Sync token not configured. Please configure sync settings first.".to_string());
+      }
+    }
+  }
+
+  let mut updated_group = group;
+  updated_group.sync_enabled = enabled;
+  if !enabled {
+    updated_group.last_sync = None;
+  }
+
+  {
+    let manager = crate::extension_manager::EXTENSION_MANAGER.lock().unwrap();
+    manager
+      .update_group_internal(&updated_group)
+      .map_err(|e| format!("Failed to update extension group sync: {e}"))?;
+  }
+
+  let _ = events::emit("extensions-changed", ());
+
+  if enabled {
+    if let Some(scheduler) = super::get_global_scheduler() {
+      scheduler
+        .queue_extension_group_sync(extension_group_id)
+        .await;
+    }
+  }
+
  Ok(())
 }
@@ -13,9 +13,9 @@ pub use engine::{
  enable_vpn_sync_if_needed, get_unsynced_entity_counts, is_group_in_use_by_synced_profile,
  is_group_used_by_synced_profile, is_proxy_in_use_by_synced_profile,
  is_proxy_used_by_synced_profile, is_sync_configured, is_vpn_in_use_by_synced_profile,
-  is_vpn_used_by_synced_profile, request_profile_sync, set_group_sync_enabled,
-  set_profile_sync_mode, set_proxy_sync_enabled, set_vpn_sync_enabled, sync_profile,
-  trigger_sync_for_profile, SyncEngine,
+  is_vpn_used_by_synced_profile, request_profile_sync, set_extension_group_sync_enabled,
+  set_extension_sync_enabled, set_group_sync_enabled, set_profile_sync_mode,
+  set_proxy_sync_enabled, set_vpn_sync_enabled, sync_profile, trigger_sync_for_profile, SyncEngine,
 };
 pub use manifest::{compute_diff, generate_manifest, HashCache, ManifestDiff, SyncManifest};
 pub use scheduler::{get_global_scheduler, set_global_scheduler, SyncScheduler};
@@ -35,6 +35,8 @@ pub struct SyncScheduler {
  pending_proxies: Arc<Mutex<HashSet<String>>>,
  pending_groups: Arc<Mutex<HashSet<String>>>,
  pending_vpns: Arc<Mutex<HashSet<String>>>,
+  pending_extensions: Arc<Mutex<HashSet<String>>>,
+  pending_extension_groups: Arc<Mutex<HashSet<String>>>,
  pending_tombstones: Arc<Mutex<Vec<(String, String)>>>,
  running_profiles: Arc<Mutex<HashSet<String>>>,
  in_flight_profiles: Arc<Mutex<HashSet<String>>>,
@@ -54,6 +56,8 @@ impl SyncScheduler {
      pending_proxies: Arc::new(Mutex::new(HashSet::new())),
      pending_groups: Arc::new(Mutex::new(HashSet::new())),
      pending_vpns: Arc::new(Mutex::new(HashSet::new())),
+      pending_extensions: Arc::new(Mutex::new(HashSet::new())),
+      pending_extension_groups: Arc::new(Mutex::new(HashSet::new())),
      pending_tombstones: Arc::new(Mutex::new(Vec::new())),
      running_profiles: Arc::new(Mutex::new(HashSet::new())),
      in_flight_profiles: Arc::new(Mutex::new(HashSet::new())),
@@ -100,6 +104,18 @@ impl SyncScheduler {
    }
    drop(pending_vpns);

+    let pending_extensions = self.pending_extensions.lock().await;
+    if !pending_extensions.is_empty() {
+      return true;
+    }
+    drop(pending_extensions);
+
+    let pending_extension_groups = self.pending_extension_groups.lock().await;
+    if !pending_extension_groups.is_empty() {
+      return true;
+    }
+    drop(pending_extension_groups);
+
    let pending_tombstones = self.pending_tombstones.lock().await;
    if !pending_tombstones.is_empty() {
      return true;
@@ -208,6 +224,16 @@ impl SyncScheduler {
    pending.insert(group_id);
  }

+  pub async fn queue_extension_sync(&self, extension_id: String) {
+    let mut pending = self.pending_extensions.lock().await;
+    pending.insert(extension_id);
+  }
+
+  pub async fn queue_extension_group_sync(&self, extension_group_id: String) {
+    let mut pending = self.pending_extension_groups.lock().await;
+    pending.insert(extension_group_id);
+  }
+
  pub async fn queue_tombstone(&self, entity_type: String, entity_id: String) {
    let mut pending = self.pending_tombstones.lock().await;
    if !pending
@@ -234,7 +260,7 @@ impl SyncScheduler {

    let sync_enabled_profiles: Vec<_> = profiles
      .into_iter()
-      .filter(|p| p.is_sync_enabled())
+      .filter(|p| p.is_sync_enabled() && !p.is_cross_os())
      .collect();

    if sync_enabled_profiles.is_empty() {
@@ -286,6 +312,8 @@ impl SyncScheduler {
              SyncWorkItem::Proxy(id) => scheduler.queue_proxy_sync(id).await,
              SyncWorkItem::Group(id) => scheduler.queue_group_sync(id).await,
              SyncWorkItem::Vpn(id) => scheduler.queue_vpn_sync(id).await,
+              SyncWorkItem::Extension(id) => scheduler.queue_extension_sync(id).await,
+              SyncWorkItem::ExtensionGroup(id) => scheduler.queue_extension_group_sync(id).await,
              SyncWorkItem::Tombstone(entity_type, entity_id) => {
                scheduler.queue_tombstone(entity_type, entity_id).await
              }
@@ -306,6 +334,8 @@ impl SyncScheduler {
    self.process_pending_proxies(app_handle).await;
    self.process_pending_groups(app_handle).await;
    self.process_pending_vpns(app_handle).await;
+    self.process_pending_extensions(app_handle).await;
+    self.process_pending_extension_groups(app_handle).await;
    self.process_pending_tombstones(app_handle).await;
  }

@@ -356,7 +386,7 @@ impl SyncScheduler {
        profile_manager.list_profiles().ok().and_then(|profiles| {
          profiles
            .into_iter()
-            .find(|p| p.id.to_string() == profile_id && p.is_sync_enabled())
+            .find(|p| p.id.to_string() == profile_id && p.is_sync_enabled() && !p.is_cross_os())
        })
      };

@@ -385,6 +415,8 @@ impl SyncScheduler {
          && self.pending_proxies.lock().await.is_empty()
          && self.pending_groups.lock().await.is_empty()
          && self.pending_vpns.lock().await.is_empty()
+          && self.pending_extensions.lock().await.is_empty()
+          && self.pending_extension_groups.lock().await.is_empty()
      };

      match result {
@@ -618,6 +650,82 @@ impl SyncScheduler {
    }
  }

+  async fn process_pending_extensions(&self, app_handle: &tauri::AppHandle) {
+    let extensions_to_sync: Vec<String> = {
+      let mut pending = self.pending_extensions.lock().await;
+      let list: Vec<String> = pending.drain().collect();
+      list
+    };
+
+    if extensions_to_sync.is_empty() {
+      return;
+    }
+
+    match SyncEngine::create_from_settings(app_handle).await {
+      Ok(engine) => {
+        for ext_id in extensions_to_sync {
+          log::info!("Syncing extension {}", ext_id);
+          if let Err(e) = engine
+            .sync_extension_by_id_with_handle(&ext_id, app_handle)
+            .await
+          {
+            log::error!("Failed to sync extension {}: {}", ext_id, e);
+          }
+        }
+
+        if !self.is_sync_in_progress().await {
+          log::debug!("All syncs completed after extension sync, triggering cleanup");
+          let registry =
+            crate::downloaded_browsers_registry::DownloadedBrowsersRegistry::instance();
+          if let Err(e) = registry.cleanup_unused_binaries() {
+            log::warn!("Cleanup after sync failed: {e}");
+          }
+        }
+      }
+      Err(e) => {
+        log::error!("Failed to create sync engine: {}", e);
+      }
+    }
+  }
+
+  async fn process_pending_extension_groups(&self, app_handle: &tauri::AppHandle) {
+    let groups_to_sync: Vec<String> = {
+      let mut pending = self.pending_extension_groups.lock().await;
+      let list: Vec<String> = pending.drain().collect();
+      list
+    };
+
+    if groups_to_sync.is_empty() {
+      return;
+    }
+
+    match SyncEngine::create_from_settings(app_handle).await {
+      Ok(engine) => {
+        for group_id in groups_to_sync {
+          log::info!("Syncing extension group {}", group_id);
+          if let Err(e) = engine
+            .sync_extension_group_by_id_with_handle(&group_id, app_handle)
+            .await
+          {
+            log::error!("Failed to sync extension group {}: {}", group_id, e);
+          }
+        }
+
+        if !self.is_sync_in_progress().await {
+          log::debug!("All syncs completed after extension group sync, triggering cleanup");
+          let registry =
+            crate::downloaded_browsers_registry::DownloadedBrowsersRegistry::instance();
+          if let Err(e) = registry.cleanup_unused_binaries() {
+            log::warn!("Cleanup after sync failed: {e}");
+          }
+        }
+      }
+      Err(e) => {
+        log::error!("Failed to create sync engine: {}", e);
+      }
+    }
+  }
+
  async fn process_pending_tombstones(&self, _app_handle: &tauri::AppHandle) {
    let tombstones: Vec<(String, String)> = {
      let mut pending = self.pending_tombstones.lock().await;
@@ -695,6 +803,32 @@ impl SyncScheduler {
            }
          }
        }
+        "extension" => {
+          let manager = crate::extension_manager::EXTENSION_MANAGER.lock().unwrap();
+          if let Ok(ext) = manager.get_extension(&entity_id) {
+            if ext.sync_enabled {
+              log::info!(
+                "Extension {} was deleted remotely, deleting locally",
+                entity_id
+              );
+              let _ = manager.delete_extension_internal(&entity_id);
+              let _ = events::emit("extensions-changed", ());
+            }
+          }
+        }
+        "extension_group" => {
+          let manager = crate::extension_manager::EXTENSION_MANAGER.lock().unwrap();
+          if let Ok(group) = manager.get_group(&entity_id) {
+            if group.sync_enabled {
+              log::info!(
+                "Extension group {} was deleted remotely, deleting locally",
+                entity_id
+              );
+              let _ = manager.delete_group_internal(&entity_id);
+              let _ = events::emit("extensions-changed", ());
+            }
+          }
+        }
        _ => {}
      }
    }
@@ -24,6 +24,8 @@ pub enum SyncWorkItem {
  Proxy(String),
  Group(String),
  Vpn(String),
+  Extension(String),
+  ExtensionGroup(String),
  Tombstone(String, String),
 }

@@ -206,8 +208,21 @@ impl SyncSubscription {
    data_line.and_then(|data| serde_json::from_str(data).ok())
  }

+  fn strip_team_prefix(key: &str) -> &str {
+    if key.starts_with("teams/") {
+      if let Some(rest) = key.find('/').and_then(|first_slash| {
+        key[first_slash + 1..]
+          .find('/')
+          .map(|second_slash| first_slash + 1 + second_slash + 1)
+      }) {
+        return &key[rest..];
+      }
+    }
+    key
+  }
+
  fn handle_event(event: &SubscribeEvent, work_tx: &mpsc::UnboundedSender<SyncWorkItem>) {
-    let Some(key) = &event.key else {
+    let Some(raw_key) = &event.key else {
      return;
    };

@@ -215,6 +230,8 @@ impl SyncSubscription {
      return;
    }

+    let key = Self::strip_team_prefix(raw_key);
+
    let work_item = if key.starts_with("profiles/") {
      key
        .strip_prefix("profiles/")
@@ -235,6 +252,16 @@ impl SyncSubscription {
        .strip_prefix("vpns/")
        .and_then(|s| s.strip_suffix(".json"))
        .map(|s| SyncWorkItem::Vpn(s.to_string()))
+    } else if key.starts_with("extensions/") {
+      key
+        .strip_prefix("extensions/")
+        .and_then(|s| s.strip_suffix(".json"))
+        .map(|s| SyncWorkItem::Extension(s.to_string()))
+    } else if key.starts_with("extension_groups/") {
+      key
+        .strip_prefix("extension_groups/")
+        .and_then(|s| s.strip_suffix(".json"))
+        .map(|s| SyncWorkItem::ExtensionGroup(s.to_string()))
    } else if key.starts_with("tombstones/") {
      key.strip_prefix("tombstones/").and_then(|rest| {
        if rest.starts_with("profiles/") {
@@ -257,6 +284,16 @@ impl SyncSubscription {
            .strip_prefix("vpns/")
            .and_then(|s| s.strip_suffix(".json"))
            .map(|id| SyncWorkItem::Tombstone("vpn".to_string(), id.to_string()))
+        } else if rest.starts_with("extensions/") {
+          rest
+            .strip_prefix("extensions/")
+            .and_then(|s| s.strip_suffix(".json"))
+            .map(|id| SyncWorkItem::Tombstone("extension".to_string(), id.to_string()))
+        } else if rest.starts_with("extension_groups/") {
+          rest
+            .strip_prefix("extension_groups/")
+            .and_then(|s| s.strip_suffix(".json"))
+            .map(|id| SyncWorkItem::Tombstone("extension_group".to_string(), id.to_string()))
        } else {
          None
        }
@@ -0,0 +1,335 @@
+use lazy_static::lazy_static;
+use reqwest::Client;
+use serde::{Deserialize, Serialize};
+use std::collections::HashMap;
+use tokio::sync::{Mutex, RwLock};
+use tokio::task::JoinHandle;
+
+use crate::cloud_auth::{CloudAuthManager, CLOUD_API_URL, CLOUD_AUTH};
+
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct ProfileLockInfo {
+  #[serde(rename = "profileId")]
+  pub profile_id: String,
+  #[serde(rename = "lockedBy")]
+  pub locked_by: String,
+  #[serde(rename = "lockedByEmail")]
+  pub locked_by_email: String,
+  #[serde(rename = "lockedAt")]
+  pub locked_at: String,
+  #[serde(rename = "expiresAt", default)]
+  pub expires_at: Option<String>,
+}
+
+#[derive(Debug, Deserialize)]
+#[allow(dead_code)]
+struct AcquireLockResponse {
+  success: bool,
+  #[serde(rename = "lockedBy")]
+  locked_by: Option<String>,
+  #[serde(rename = "lockedByEmail")]
+  locked_by_email: Option<String>,
+}
+
+pub struct TeamLockManager {
+  locks: RwLock<HashMap<String, ProfileLockInfo>>,
+  heartbeat_handle: Mutex<Option<JoinHandle<()>>>,
+  connected_team_id: Mutex<Option<String>>,
+}
+
+lazy_static! {
+  pub static ref TEAM_LOCK: TeamLockManager = TeamLockManager::new();
+}
+
+impl TeamLockManager {
+  fn new() -> Self {
+    Self {
+      locks: RwLock::new(HashMap::new()),
+      heartbeat_handle: Mutex::new(None),
+      connected_team_id: Mutex::new(None),
+    }
+  }
+
+  pub async fn connect(&self, team_id: &str) {
+    log::info!("Connecting team lock manager for team: {team_id}");
+
+    {
+      let mut tid = self.connected_team_id.lock().await;
+      *tid = Some(team_id.to_string());
+    }
+
+    if let Err(e) = self.fetch_initial_locks(team_id).await {
+      log::warn!("Failed to fetch initial locks: {e}");
+    }
+
+    self.start_heartbeat_loop().await;
+  }
+
+  pub async fn disconnect(&self) {
+    log::info!("Disconnecting team lock manager");
+
+    {
+      let mut handle = self.heartbeat_handle.lock().await;
+      if let Some(h) = handle.take() {
+        h.abort();
+      }
+    }
+
+    {
+      let mut locks = self.locks.write().await;
+      locks.clear();
+    }
+
+    {
+      let mut tid = self.connected_team_id.lock().await;
+      *tid = None;
+    }
+  }
+
+  pub async fn acquire_lock(&self, profile_id: &str) -> Result<(), String> {
+    let team_id = self.get_team_id().await?;
+    let client = Client::new();
+
+    let access_token =
+      CloudAuthManager::load_access_token()?.ok_or_else(|| "Not logged in".to_string())?;
+
+    let url = format!("{CLOUD_API_URL}/api/teams/{team_id}/locks");
+    let response = client
+      .post(&url)
+      .header("Authorization", format!("Bearer {access_token}"))
+      .json(&serde_json::json!({ "profileId": profile_id }))
+      .send()
+      .await
+      .map_err(|e| format!("Failed to acquire lock: {e}"))?;
+
+    if !response.status().is_success() {
+      let status = response.status();
+      let body = response.text().await.unwrap_or_default();
+      return Err(format!("Lock acquisition failed ({status}): {body}"));
+    }
+
+    let result: AcquireLockResponse = response
+      .json()
+      .await
+      .map_err(|e| format!("Failed to parse lock response: {e}"))?;
+
+    if !result.success {
+      let email = result
+        .locked_by_email
+        .unwrap_or_else(|| "another user".to_string());
+      return Err(format!("Profile is in use by {email}"));
+    }
+
+    // Update local cache
+    if let Some(user) = CLOUD_AUTH.get_user().await {
+      let mut locks = self.locks.write().await;
+      locks.insert(
+        profile_id.to_string(),
+        ProfileLockInfo {
+          profile_id: profile_id.to_string(),
+          locked_by: user.user.id.clone(),
+          locked_by_email: user.user.email.clone(),
+          locked_at: chrono::Utc::now().to_rfc3339(),
+          expires_at: None,
+        },
+      );
+    }
+
+    let _ = crate::events::emit(
+      "team-lock-acquired",
+      serde_json::json!({ "profileId": profile_id }),
+    );
+
+    Ok(())
+  }
+
+  pub async fn release_lock(&self, profile_id: &str) -> Result<(), String> {
+    let team_id = self.get_team_id().await?;
+    let client = Client::new();
+
+    let access_token =
+      CloudAuthManager::load_access_token()?.ok_or_else(|| "Not logged in".to_string())?;
+
+    let url = format!("{CLOUD_API_URL}/api/teams/{team_id}/locks/{profile_id}");
+    let _ = client
+      .delete(&url)
+      .header("Authorization", format!("Bearer {access_token}"))
+      .send()
+      .await;
+
+    {
+      let mut locks = self.locks.write().await;
+      locks.remove(profile_id);
+    }
+
+    let _ = crate::events::emit(
+      "team-lock-released",
+      serde_json::json!({ "profileId": profile_id }),
+    );
+
+    Ok(())
+  }
+
+  pub async fn get_locks(&self) -> Vec<ProfileLockInfo> {
+    let locks = self.locks.read().await;
+    locks.values().cloned().collect()
+  }
+
+  pub async fn get_lock_status(&self, profile_id: &str) -> Option<ProfileLockInfo> {
+    let locks = self.locks.read().await;
+    locks.get(profile_id).cloned()
+  }
+
+  pub async fn is_locked_by_another(&self, profile_id: &str) -> bool {
+    let locks = self.locks.read().await;
+    if let Some(lock) = locks.get(profile_id) {
+      if let Some(user) = CLOUD_AUTH.get_user().await {
+        return lock.locked_by != user.user.id;
+      }
+    }
+    false
+  }
+
+  async fn fetch_initial_locks(&self, team_id: &str) -> Result<(), String> {
+    let client = Client::new();
+    let access_token =
+      CloudAuthManager::load_access_token()?.ok_or_else(|| "Not logged in".to_string())?;
+
+    let url = format!("{CLOUD_API_URL}/api/teams/{team_id}/locks");
+    let response = client
+      .get(&url)
+      .header("Authorization", format!("Bearer {access_token}"))
+      .send()
+      .await
+      .map_err(|e| format!("Failed to fetch locks: {e}"))?;
+
+    if !response.status().is_success() {
+      return Err("Failed to fetch locks".to_string());
+    }
+
+    let lock_list: Vec<ProfileLockInfo> = response
+      .json()
+      .await
+      .map_err(|e| format!("Failed to parse locks: {e}"))?;
+
+    let mut locks = self.locks.write().await;
+    locks.clear();
+    for lock in lock_list {
+      locks.insert(lock.profile_id.clone(), lock);
+    }
+
+    Ok(())
+  }
+
+  async fn start_heartbeat_loop(&self) {
+    let mut handle = self.heartbeat_handle.lock().await;
+    if let Some(h) = handle.take() {
+      h.abort();
+    }
+
+    let h = tokio::spawn(async move {
+      loop {
+        tokio::time::sleep(std::time::Duration::from_secs(30)).await;
+
+        let team_id = match TEAM_LOCK.get_team_id().await {
+          Ok(id) => id,
+          Err(_) => break,
+        };
+
+        let held_locks: Vec<String> = {
+          let locks = TEAM_LOCK.locks.read().await;
+          if let Some(user) = CLOUD_AUTH.get_user().await {
+            locks
+              .values()
+              .filter(|l| l.locked_by == user.user.id)
+              .map(|l| l.profile_id.clone())
+              .collect()
+          } else {
+            vec![]
+          }
+        };
+
+        for profile_id in held_locks {
+          let client = Client::new();
+          if let Ok(Some(token)) = CloudAuthManager::load_access_token() {
+            let url = format!("{CLOUD_API_URL}/api/teams/{team_id}/locks/{profile_id}/heartbeat");
+            let _ = client
+              .post(&url)
+              .header("Authorization", format!("Bearer {token}"))
+              .send()
+              .await;
+          }
+        }
+
+        // Refresh lock state from server
+        if let Err(e) = TEAM_LOCK.fetch_initial_locks(&team_id).await {
+          log::debug!("Failed to refresh locks: {e}");
+        }
+      }
+    });
+
+    *handle = Some(h);
+  }
+
+  async fn get_team_id(&self) -> Result<String, String> {
+    let tid = self.connected_team_id.lock().await;
+    tid
+      .clone()
+      .ok_or_else(|| "Not connected to a team".to_string())
+  }
+}
+
+/// Acquire team lock if profile is sync-enabled and user is on a team.
+/// Returns Ok(()) if lock acquired or not applicable, Err with message if locked by another.
+pub async fn acquire_team_lock_if_needed(
+  profile: &crate::profile::BrowserProfile,
+) -> Result<(), String> {
+  if !profile.is_sync_enabled() {
+    return Ok(());
+  }
+  if !CLOUD_AUTH.is_on_team_plan().await {
+    return Ok(());
+  }
+
+  if TEAM_LOCK
+    .is_locked_by_another(&profile.id.to_string())
+    .await
+  {
+    if let Some(lock) = TEAM_LOCK.get_lock_status(&profile.id.to_string()).await {
+      return Err(format!("Profile is in use by {}", lock.locked_by_email));
+    }
+    return Err("Profile is in use by another team member".to_string());
+  }
+
+  TEAM_LOCK.acquire_lock(&profile.id.to_string()).await
+}
+
+/// Release team lock if profile is sync-enabled and user is on a team.
+/// Logs warnings on failure but does not return errors.
+pub async fn release_team_lock_if_needed(profile: &crate::profile::BrowserProfile) {
+  if !profile.is_sync_enabled() {
+    return;
+  }
+  if !CLOUD_AUTH.is_on_team_plan().await {
+    return;
+  }
+
+  if let Err(e) = TEAM_LOCK.release_lock(&profile.id.to_string()).await {
+    log::warn!(
+      "Failed to release team lock for profile {}: {e}",
+      profile.id
+    );
+  }
+}
+
+// --- Tauri commands ---
+
+#[tauri::command]
+pub async fn get_team_locks() -> Result<Vec<ProfileLockInfo>, String> {
+  Ok(TEAM_LOCK.get_locks().await)
+}
+
+#[tauri::command]
+pub async fn get_team_lock_status(profile_id: String) -> Result<Option<ProfileLockInfo>, String> {
+  Ok(TEAM_LOCK.get_lock_status(&profile_id).await)
+}
@@ -362,20 +362,15 @@ impl VersionUpdater {
      eprintln!("Failed to emit completion progress: {e}");
    }

-    // After all version updates are complete, trigger auto-update check
-    if total_new_versions > 0 {
-      println!(
-        "Found {total_new_versions} new versions across all browsers. Checking for auto-updates..."
-      );
-
-      // Trigger auto-update check which will automatically download browsers
-      self
-        .auto_updater
-        .check_for_updates_with_progress(app_handle)
-        .await;
-    } else {
-      println!("No new versions found, skipping auto-update check");
-    }
+    // Always check for auto-updates — profiles may still be on older versions
+    // even if no new versions were found in the cache this cycle
+    println!(
+      "Checking for browser auto-updates (found {total_new_versions} new versions in cache)..."
+    );
+    self
+      .auto_updater
+      .check_for_updates_with_progress(app_handle)
+      .await;

    Ok(results)
  }
@@ -396,6 +396,7 @@ impl WayfernManager {
    url: Option<&str>,
    proxy_url: Option<&str>,
    ephemeral: bool,
+    extension_paths: &[String],
  ) -> Result<WayfernLaunchResult, Box<dyn std::error::Error + Send + Sync>> {
    let executable_path = if let Some(path) = &config.executable_path {
      let p = PathBuf::from(path);
@@ -448,6 +449,10 @@ impl WayfernManager {
      args.push("--disable-sync".to_string());
    }

+    if !extension_paths.is_empty() {
+      args.push(format!("--load-extension={}", extension_paths.join(",")));
+    }
+
    // Don't add URL to args - we'll navigate via CDP after setting fingerprint
    // This ensures fingerprint is applied at navigation commit time

@@ -834,6 +839,7 @@ impl WayfernManager {
        url,
        proxy_url,
        profile.ephemeral,
+        &[],
      )
      .await
  }
@@ -7,6 +7,45 @@ use tokio::io::{AsyncReadExt, AsyncWriteExt};
 use tokio::net::TcpStream;
 use tokio::time::sleep;

+/// Start a simple HTTP server that returns a specific body for any request.
+/// Returns the (port, JoinHandle).
+async fn start_mock_http_server(response_body: &'static str) -> (u16, tokio::task::JoinHandle<()>) {
+  let listener = tokio::net::TcpListener::bind("127.0.0.1:0").await.unwrap();
+  let port = listener.local_addr().unwrap().port();
+
+  let handle = tokio::spawn(async move {
+    use http_body_util::Full;
+    use hyper::body::Bytes;
+    use hyper::server::conn::http1;
+    use hyper::service::service_fn;
+    use hyper::{Response, StatusCode};
+    use hyper_util::rt::TokioIo;
+
+    while let Ok((stream, _)) = listener.accept().await {
+      let io = TokioIo::new(stream);
+      tokio::task::spawn(async move {
+        let service = service_fn(move |_req| {
+          let body = response_body;
+          async move {
+            Ok::<_, hyper::Error>(
+              Response::builder()
+                .status(StatusCode::OK)
+                .body(Full::new(Bytes::from(body)))
+                .unwrap(),
+            )
+          }
+        });
+        let _ = http1::Builder::new().serve_connection(io, service).await;
+      });
+    }
+  });
+
+  // Wait for listener to be ready
+  sleep(Duration::from_millis(100)).await;
+
+  (port, handle)
+}
+
 /// Setup function to ensure donut-proxy binary exists and cleanup stale proxies
 async fn setup_test() -> Result<std::path::PathBuf, Box<dyn std::error::Error + Send + Sync>> {
  let cargo_manifest_dir = std::env::var("CARGO_MANIFEST_DIR")?;
@@ -637,3 +676,448 @@ async fn test_proxy_stop() -> Result<(), Box<dyn std::error::Error + Send + Sync

  Ok(())
 }
+
+/// Test that bypass rules cause requests to bypass the upstream proxy.
+/// Requests to bypassed hosts go directly to the target, while
+/// requests to non-bypassed hosts are routed through the upstream.
+#[tokio::test]
+#[serial]
+async fn test_bypass_rules_http_direct() -> Result<(), Box<dyn std::error::Error + Send + Sync>> {
+  let binary_path = setup_test().await?;
+  let mut tracker = ProxyTestTracker::new(binary_path.clone());
+
+  // Start a target HTTP server (this is where bypassed requests should arrive)
+  let (target_port, target_handle) = start_mock_http_server("DIRECT-TARGET-RESPONSE").await;
+  println!("Target server listening on port {target_port}");
+
+  // Start a mock upstream proxy (non-bypassed requests go here)
+  let (upstream_port, upstream_handle) = start_mock_http_server("UPSTREAM-PROXY-RESPONSE").await;
+  println!("Mock upstream proxy listening on port {upstream_port}");
+
+  // Start donut-proxy with upstream + bypass rules for "127.0.0.1"
+  let bypass_rules = serde_json::json!(["127.0.0.1"]).to_string();
+  let output = TestUtils::execute_command(
+    &binary_path,
+    &[
+      "proxy",
+      "start",
+      "--host",
+      "127.0.0.1",
+      "--proxy-port",
+      &upstream_port.to_string(),
+      "--type",
+      "http",
+      "--bypass-rules",
+      &bypass_rules,
+    ],
+  )
+  .await?;
+
+  if !output.status.success() {
+    let stderr = String::from_utf8_lossy(&output.stderr);
+    let stdout = String::from_utf8_lossy(&output.stdout);
+    target_handle.abort();
+    upstream_handle.abort();
+    return Err(format!("Proxy start failed - stdout: {stdout}, stderr: {stderr}").into());
+  }
+
+  let config: Value = serde_json::from_str(&String::from_utf8(output.stdout)?)?;
+  let proxy_id = config["id"].as_str().unwrap().to_string();
+  let local_port = config["localPort"].as_u64().unwrap() as u16;
+  tracker.track_proxy(proxy_id.clone());
+
+  println!("Donut-proxy started on port {local_port} with bypass rules for 127.0.0.1");
+
+  sleep(Duration::from_millis(500)).await;
+
+  // Test 1: Request to 127.0.0.1 should be BYPASSED (direct connection to target)
+  {
+    let mut stream = TcpStream::connect(("127.0.0.1", local_port)).await?;
+    let request = format!(
+      "GET http://127.0.0.1:{target_port}/ HTTP/1.1\r\nHost: 127.0.0.1:{target_port}\r\nConnection: close\r\n\r\n"
+    );
+    stream.write_all(request.as_bytes()).await?;
+
+    let mut response = Vec::new();
+    stream.read_to_end(&mut response).await?;
+    let response_str = String::from_utf8_lossy(&response);
+
+    println!(
+      "Bypass response: {}",
+      &response_str[..response_str.len().min(300)]
+    );
+
+    assert!(
+      response_str.contains("DIRECT-TARGET-RESPONSE"),
+      "Bypassed request should reach target directly, got: {}",
+      &response_str[..response_str.len().min(300)]
+    );
+    assert!(
+      !response_str.contains("UPSTREAM-PROXY-RESPONSE"),
+      "Bypassed request should NOT go through upstream"
+    );
+    println!("Bypass test passed: request to 127.0.0.1 went directly to target");
+  }
+
+  // Test 2: Request to non-bypassed host should go through upstream
+  {
+    let mut stream = TcpStream::connect(("127.0.0.1", local_port)).await?;
+    let request =
+      b"GET http://non-bypass-host.test/ HTTP/1.1\r\nHost: non-bypass-host.test\r\nConnection: close\r\n\r\n";
+    stream.write_all(request).await?;
+
+    let mut response = Vec::new();
+    stream.read_to_end(&mut response).await?;
+    let response_str = String::from_utf8_lossy(&response);
+
+    println!(
+      "Non-bypass response: {}",
+      &response_str[..response_str.len().min(300)]
+    );
+
+    assert!(
+      response_str.contains("UPSTREAM-PROXY-RESPONSE"),
+      "Non-bypassed request should go through upstream, got: {}",
+      &response_str[..response_str.len().min(300)]
+    );
+    assert!(
+      !response_str.contains("DIRECT-TARGET-RESPONSE"),
+      "Non-bypassed request should NOT reach target directly"
+    );
+    println!("Non-bypass test passed: request to non-bypass-host.test went through upstream");
+  }
+
+  // Cleanup
+  tracker.cleanup_all().await;
+  target_handle.abort();
+  upstream_handle.abort();
+
+  Ok(())
+}
+
+/// Test bypass rules with regex patterns.
+/// Verifies that regex-based rules match hosts correctly.
+#[tokio::test]
+#[serial]
+async fn test_bypass_rules_regex_pattern() -> Result<(), Box<dyn std::error::Error + Send + Sync>> {
+  let binary_path = setup_test().await?;
+  let mut tracker = ProxyTestTracker::new(binary_path.clone());
+
+  let (target_port, target_handle) = start_mock_http_server("REGEX-DIRECT-RESPONSE").await;
+  let (upstream_port, upstream_handle) = start_mock_http_server("REGEX-UPSTREAM-RESPONSE").await;
+
+  // Use regex bypass rule: ^127\.0\.0\.\d+ (matches any 127.0.0.x address)
+  let bypass_rules = serde_json::json!([r"^127\.0\.0\.\d+"]).to_string();
+  let output = TestUtils::execute_command(
+    &binary_path,
+    &[
+      "proxy",
+      "start",
+      "--host",
+      "127.0.0.1",
+      "--proxy-port",
+      &upstream_port.to_string(),
+      "--type",
+      "http",
+      "--bypass-rules",
+      &bypass_rules,
+    ],
+  )
+  .await?;
+
+  if !output.status.success() {
+    let stderr = String::from_utf8_lossy(&output.stderr);
+    let stdout = String::from_utf8_lossy(&output.stdout);
+    target_handle.abort();
+    upstream_handle.abort();
+    return Err(format!("Proxy start failed - stdout: {stdout}, stderr: {stderr}").into());
+  }
+
+  let config: Value = serde_json::from_str(&String::from_utf8(output.stdout)?)?;
+  let proxy_id = config["id"].as_str().unwrap().to_string();
+  let local_port = config["localPort"].as_u64().unwrap() as u16;
+  tracker.track_proxy(proxy_id.clone());
+
+  sleep(Duration::from_millis(500)).await;
+
+  // Request to 127.0.0.1 should match regex and be bypassed
+  {
+    let mut stream = TcpStream::connect(("127.0.0.1", local_port)).await?;
+    let request = format!(
+      "GET http://127.0.0.1:{target_port}/ HTTP/1.1\r\nHost: 127.0.0.1:{target_port}\r\nConnection: close\r\n\r\n"
+    );
+    stream.write_all(request.as_bytes()).await?;
+
+    let mut response = Vec::new();
+    stream.read_to_end(&mut response).await?;
+    let response_str = String::from_utf8_lossy(&response);
+
+    assert!(
+      response_str.contains("REGEX-DIRECT-RESPONSE"),
+      "Regex-bypassed request should reach target directly, got: {}",
+      &response_str[..response_str.len().min(300)]
+    );
+    println!("Regex bypass test passed: 127.0.0.1 matched regex rule");
+  }
+
+  // Request to non-matching host should go through upstream
+  {
+    let mut stream = TcpStream::connect(("127.0.0.1", local_port)).await?;
+    let request =
+      b"GET http://example.com/ HTTP/1.1\r\nHost: example.com\r\nConnection: close\r\n\r\n";
+    stream.write_all(request).await?;
+
+    let mut response = Vec::new();
+    stream.read_to_end(&mut response).await?;
+    let response_str = String::from_utf8_lossy(&response);
+
+    assert!(
+      response_str.contains("REGEX-UPSTREAM-RESPONSE"),
+      "Non-matching request should go through upstream, got: {}",
+      &response_str[..response_str.len().min(300)]
+    );
+    println!("Regex non-bypass test passed: example.com did not match regex rule");
+  }
+
+  tracker.cleanup_all().await;
+  target_handle.abort();
+  upstream_handle.abort();
+
+  Ok(())
+}
+
+/// Test that bypass rules are persisted in the proxy config on disk.
+#[tokio::test]
+#[serial]
+async fn test_bypass_rules_in_config() -> Result<(), Box<dyn std::error::Error + Send + Sync>> {
+  let binary_path = setup_test().await?;
+  let mut tracker = ProxyTestTracker::new(binary_path.clone());
+
+  let bypass_rules =
+    serde_json::json!(["example.com", "192.168.0.0/16", r".*\.internal\.net"]).to_string();
+  let output = TestUtils::execute_command(
+    &binary_path,
+    &["proxy", "start", "--bypass-rules", &bypass_rules],
+  )
+  .await?;
+
+  if !output.status.success() {
+    let stderr = String::from_utf8_lossy(&output.stderr);
+    let stdout = String::from_utf8_lossy(&output.stdout);
+    return Err(format!("Proxy start failed - stdout: {stdout}, stderr: {stderr}").into());
+  }
+
+  let config: Value = serde_json::from_str(&String::from_utf8(output.stdout)?)?;
+  let proxy_id = config["id"].as_str().unwrap().to_string();
+  tracker.track_proxy(proxy_id.clone());
+
+  sleep(Duration::from_millis(500)).await;
+
+  // Read the proxy config file from disk to verify bypass rules are persisted
+  let proxies_dir = donutbrowser_lib::app_dirs::proxies_dir();
+  let config_file = proxies_dir.join(format!("{proxy_id}.json"));
+
+  assert!(
+    config_file.exists(),
+    "Proxy config file should exist at {:?}",
+    config_file
+  );
+
+  let config_content = std::fs::read_to_string(&config_file)?;
+  let disk_config: Value = serde_json::from_str(&config_content)?;
+
+  let rules = disk_config["bypass_rules"]
+    .as_array()
+    .expect("bypass_rules should be an array in the config");
+
+  assert_eq!(rules.len(), 3, "Should have 3 bypass rules");
+  assert_eq!(rules[0], "example.com");
+  assert_eq!(rules[1], "192.168.0.0/16");
+  assert_eq!(rules[2], r".*\.internal\.net");
+
+  println!(
+    "Config persistence test passed: {} bypass rules found in config",
+    rules.len()
+  );
+
+  tracker.cleanup_all().await;
+
+  Ok(())
+}
+
+/// Test bypass rules with multiple rule types combined (exact + regex).
+#[tokio::test]
+#[serial]
+async fn test_bypass_rules_multiple_rules() -> Result<(), Box<dyn std::error::Error + Send + Sync>>
+{
+  let binary_path = setup_test().await?;
+  let mut tracker = ProxyTestTracker::new(binary_path.clone());
+
+  let (target_port, target_handle) = start_mock_http_server("MULTI-DIRECT-RESPONSE").await;
+  let (upstream_port, upstream_handle) = start_mock_http_server("MULTI-UPSTREAM-RESPONSE").await;
+
+  // Multiple bypass rules: exact match + regex
+  let bypass_rules = serde_json::json!(["127.0.0.1", r"^localhost$"]).to_string();
+  let output = TestUtils::execute_command(
+    &binary_path,
+    &[
+      "proxy",
+      "start",
+      "--host",
+      "127.0.0.1",
+      "--proxy-port",
+      &upstream_port.to_string(),
+      "--type",
+      "http",
+      "--bypass-rules",
+      &bypass_rules,
+    ],
+  )
+  .await?;
+
+  if !output.status.success() {
+    let stderr = String::from_utf8_lossy(&output.stderr);
+    let stdout = String::from_utf8_lossy(&output.stdout);
+    target_handle.abort();
+    upstream_handle.abort();
+    return Err(format!("Proxy start failed - stdout: {stdout}, stderr: {stderr}").into());
+  }
+
+  let config: Value = serde_json::from_str(&String::from_utf8(output.stdout)?)?;
+  let proxy_id = config["id"].as_str().unwrap().to_string();
+  let local_port = config["localPort"].as_u64().unwrap() as u16;
+  tracker.track_proxy(proxy_id.clone());
+
+  sleep(Duration::from_millis(500)).await;
+
+  // Request via 127.0.0.1 (exact match rule) → bypass
+  {
+    let mut stream = TcpStream::connect(("127.0.0.1", local_port)).await?;
+    let request = format!(
+      "GET http://127.0.0.1:{target_port}/ HTTP/1.1\r\nHost: 127.0.0.1:{target_port}\r\nConnection: close\r\n\r\n"
+    );
+    stream.write_all(request.as_bytes()).await?;
+
+    let mut response = Vec::new();
+    stream.read_to_end(&mut response).await?;
+    let response_str = String::from_utf8_lossy(&response);
+
+    assert!(
+      response_str.contains("MULTI-DIRECT-RESPONSE"),
+      "Exact-match bypassed request should reach target, got: {}",
+      &response_str[..response_str.len().min(300)]
+    );
+    println!("Multi-rule test: exact match bypass works");
+  }
+
+  // Request via localhost (regex match rule) → bypass
+  {
+    let mut stream = TcpStream::connect(("127.0.0.1", local_port)).await?;
+    let request = format!(
+      "GET http://localhost:{target_port}/ HTTP/1.1\r\nHost: localhost:{target_port}\r\nConnection: close\r\n\r\n"
+    );
+    stream.write_all(request.as_bytes()).await?;
+
+    let mut response = Vec::new();
+    stream.read_to_end(&mut response).await?;
+    let response_str = String::from_utf8_lossy(&response);
+
+    assert!(
+      response_str.contains("MULTI-DIRECT-RESPONSE"),
+      "Regex-match bypassed request should reach target, got: {}",
+      &response_str[..response_str.len().min(300)]
+    );
+    println!("Multi-rule test: regex match bypass works");
+  }
+
+  // Request to non-matching host → upstream
+  {
+    let mut stream = TcpStream::connect(("127.0.0.1", local_port)).await?;
+    let request =
+      b"GET http://other-host.test/ HTTP/1.1\r\nHost: other-host.test\r\nConnection: close\r\n\r\n";
+    stream.write_all(request).await?;
+
+    let mut response = Vec::new();
+    stream.read_to_end(&mut response).await?;
+    let response_str = String::from_utf8_lossy(&response);
+
+    assert!(
+      response_str.contains("MULTI-UPSTREAM-RESPONSE"),
+      "Non-matching request should go through upstream, got: {}",
+      &response_str[..response_str.len().min(300)]
+    );
+    println!("Multi-rule test: non-matching host goes through upstream");
+  }
+
+  tracker.cleanup_all().await;
+  target_handle.abort();
+  upstream_handle.abort();
+
+  Ok(())
+}
+
+/// Test that an empty bypass rules list means everything goes through upstream.
+#[tokio::test]
+#[serial]
+async fn test_no_bypass_rules_all_through_upstream(
+) -> Result<(), Box<dyn std::error::Error + Send + Sync>> {
+  let binary_path = setup_test().await?;
+  let mut tracker = ProxyTestTracker::new(binary_path.clone());
+
+  let (upstream_port, upstream_handle) = start_mock_http_server("ALL-UPSTREAM-RESPONSE").await;
+
+  // Start proxy with empty bypass rules
+  let bypass_rules = serde_json::json!([]).to_string();
+  let output = TestUtils::execute_command(
+    &binary_path,
+    &[
+      "proxy",
+      "start",
+      "--host",
+      "127.0.0.1",
+      "--proxy-port",
+      &upstream_port.to_string(),
+      "--type",
+      "http",
+      "--bypass-rules",
+      &bypass_rules,
+    ],
+  )
+  .await?;
+
+  if !output.status.success() {
+    let stderr = String::from_utf8_lossy(&output.stderr);
+    let stdout = String::from_utf8_lossy(&output.stdout);
+    upstream_handle.abort();
+    return Err(format!("Proxy start failed - stdout: {stdout}, stderr: {stderr}").into());
+  }
+
+  let config: Value = serde_json::from_str(&String::from_utf8(output.stdout)?)?;
+  let proxy_id = config["id"].as_str().unwrap().to_string();
+  let local_port = config["localPort"].as_u64().unwrap() as u16;
+  tracker.track_proxy(proxy_id.clone());
+
+  sleep(Duration::from_millis(500)).await;
+
+  // All requests should go through upstream when bypass rules are empty
+  let mut stream = TcpStream::connect(("127.0.0.1", local_port)).await?;
+  let request =
+    b"GET http://any-host.test/ HTTP/1.1\r\nHost: any-host.test\r\nConnection: close\r\n\r\n";
+  stream.write_all(request).await?;
+
+  let mut response = Vec::new();
+  stream.read_to_end(&mut response).await?;
+  let response_str = String::from_utf8_lossy(&response);
+
+  assert!(
+    response_str.contains("ALL-UPSTREAM-RESPONSE"),
+    "With no bypass rules, all requests should go through upstream, got: {}",
+    &response_str[..response_str.len().min(300)]
+  );
+  println!("Empty bypass rules test passed: all traffic goes through upstream");
+
+  tracker.cleanup_all().await;
+  upstream_handle.abort();
+
+  Ok(())
+}
@@ -238,6 +238,46 @@ fn create_test_profile_bundle(temp_dir: &Path) -> Vec<u8> {
  encoder.finish().unwrap()
 }

+fn create_test_profile_bundle_with_bypass_rules(temp_dir: &Path, bypass_rules: &[&str]) -> Vec<u8> {
+  use flate2::write::GzEncoder;
+  use flate2::Compression;
+  use tar::Builder;
+
+  let metadata = json!({
+    "id": "test-bypass-profile-id",
+    "name": "Bypass Rules Profile",
+    "browser": "camoufox",
+    "version": "120.0.0",
+    "release_type": "stable",
+    "sync_enabled": true,
+    "tags": [],
+    "proxy_bypass_rules": bypass_rules
+  });
+
+  let profile_dir = temp_dir.join("bypass_profile");
+  fs::create_dir_all(&profile_dir).unwrap();
+  fs::write(profile_dir.join("test_file.txt"), "bypass test content").unwrap();
+
+  let mut encoder = GzEncoder::new(Vec::new(), Compression::default());
+  {
+    let mut tar = Builder::new(&mut encoder);
+
+    let metadata_json = serde_json::to_string_pretty(&metadata).unwrap();
+    let mut header = tar::Header::new_gnu();
+    header.set_size(metadata_json.len() as u64);
+    header.set_mode(0o644);
+    header.set_cksum();
+    tar
+      .append_data(&mut header, "metadata.json", metadata_json.as_bytes())
+      .unwrap();
+
+    tar.append_dir_all("profile", &profile_dir).unwrap();
+    tar.finish().unwrap();
+  }
+
+  encoder.finish().unwrap()
+}
+
 fn extract_bundle(data: &[u8], target_dir: &Path) -> serde_json::Value {
  use flate2::read::GzDecoder;
  use tar::Archive;
@@ -727,3 +767,77 @@ async fn test_delta_sync_only_changed_files() {
  client.delete(&file2_key, None).await.unwrap();
  client.delete(&file3_key, None).await.unwrap();
 }
+
+#[tokio::test]
+async fn test_profile_bypass_rules_sync() {
+  ensure_sync_server_available().await;
+  let client = TestClient::new();
+  let temp_dir = TempDir::new().unwrap();
+  let profile_id = uuid::Uuid::new_v4().to_string();
+  let test_key = format!("profiles/{}.tar.gz", profile_id);
+
+  let bypass_rules = vec!["example.com", "192.168.1.0/24", ".*\\.internal\\.net"];
+
+  let bundle = create_test_profile_bundle_with_bypass_rules(temp_dir.path(), &bypass_rules);
+
+  let presign = client
+    .presign_upload(&test_key, "application/gzip")
+    .await
+    .unwrap();
+  client
+    .upload_bytes(&presign.url, &bundle, "application/gzip")
+    .await
+    .unwrap();
+
+  let stat = client.stat(&test_key).await.unwrap();
+  assert!(stat.exists);
+
+  // Download and verify bypass rules survive the round-trip
+  let download_presign = client.presign_download(&test_key).await.unwrap();
+  let downloaded = client.download_bytes(&download_presign.url).await.unwrap();
+  assert_eq!(downloaded.len(), bundle.len());
+
+  let extract_dir = temp_dir.path().join("extracted");
+  fs::create_dir_all(&extract_dir).unwrap();
+  let metadata = extract_bundle(&downloaded, &extract_dir);
+
+  assert_eq!(metadata["name"], "Bypass Rules Profile");
+  assert_eq!(metadata["browser"], "camoufox");
+
+  let synced_rules = metadata["proxy_bypass_rules"]
+    .as_array()
+    .expect("proxy_bypass_rules should be an array");
+  assert_eq!(synced_rules.len(), 3);
+  assert_eq!(synced_rules[0], "example.com");
+  assert_eq!(synced_rules[1], "192.168.1.0/24");
+  assert_eq!(synced_rules[2], ".*\\.internal\\.net");
+
+  // Also verify empty bypass rules are handled correctly
+  let empty_bundle = create_test_profile_bundle_with_bypass_rules(temp_dir.path(), &[]);
+  let empty_key = format!("profiles/{}.tar.gz", uuid::Uuid::new_v4());
+
+  let presign2 = client
+    .presign_upload(&empty_key, "application/gzip")
+    .await
+    .unwrap();
+  client
+    .upload_bytes(&presign2.url, &empty_bundle, "application/gzip")
+    .await
+    .unwrap();
+
+  let download_presign2 = client.presign_download(&empty_key).await.unwrap();
+  let downloaded2 = client.download_bytes(&download_presign2.url).await.unwrap();
+
+  let extract_dir2 = temp_dir.path().join("extracted2");
+  fs::create_dir_all(&extract_dir2).unwrap();
+  let metadata2 = extract_bundle(&downloaded2, &extract_dir2);
+
+  let empty_rules = metadata2["proxy_bypass_rules"]
+    .as_array()
+    .expect("proxy_bypass_rules should be an array");
+  assert!(empty_rules.is_empty());
+
+  // Cleanup
+  client.delete(&test_key, None).await.unwrap();
+  client.delete(&empty_key, None).await.unwrap();
+}
@@ -5,11 +5,13 @@ import { listen } from "@tauri-apps/api/event";
 import { getCurrent } from "@tauri-apps/plugin-deep-link";
 import { useCallback, useEffect, useMemo, useRef, useState } from "react";
 import { CamoufoxConfigDialog } from "@/components/camoufox-config-dialog";
+import { CloneProfileDialog } from "@/components/clone-profile-dialog";
 import { CommercialTrialModal } from "@/components/commercial-trial-modal";
 import { CookieCopyDialog } from "@/components/cookie-copy-dialog";
 import { CookieManagementDialog } from "@/components/cookie-management-dialog";
 import { CreateProfileDialog } from "@/components/create-profile-dialog";
 import { DeleteConfirmationDialog } from "@/components/delete-confirmation-dialog";
+import { ExtensionManagementDialog } from "@/components/extension-management-dialog";
 import { GroupAssignmentDialog } from "@/components/group-assignment-dialog";
 import { GroupBadges } from "@/components/group-badges";
 import { GroupManagementDialog } from "@/components/group-management-dialog";
@@ -44,6 +46,7 @@ import {
  dismissToast,
  showErrorToast,
  showSuccessToast,
+  showSyncProgressToast,
  showToast,
 } from "@/lib/toast-utils";
 import type {
@@ -139,6 +142,8 @@ export default function Home() {
    useState(false);
  const [groupManagementDialogOpen, setGroupManagementDialogOpen] =
    useState(false);
+  const [extensionManagementDialogOpen, setExtensionManagementDialogOpen] =
+    useState(false);
  const [groupAssignmentDialogOpen, setGroupAssignmentDialogOpen] =
    useState(false);
  const [proxyAssignmentDialogOpen, setProxyAssignmentDialogOpen] =
@@ -165,9 +170,12 @@ export default function Home() {
  const [pendingUrls, setPendingUrls] = useState<PendingUrl[]>([]);
  const [currentProfileForCamoufoxConfig, setCurrentProfileForCamoufoxConfig] =
    useState<BrowserProfile | null>(null);
+  const [cloneProfile, setCloneProfile] = useState<BrowserProfile | null>(null);
  const [hasCheckedStartupPrompt, setHasCheckedStartupPrompt] = useState(false);
  const [launchOnLoginDialogOpen, setLaunchOnLoginDialogOpen] = useState(false);
  const [windowResizeWarningOpen, setWindowResizeWarningOpen] = useState(false);
+  const [windowResizeWarningBrowserType, setWindowResizeWarningBrowserType] =
+    useState<string | undefined>(undefined);
  const windowResizeWarningResolver = useRef<
    ((proceed: boolean) => void) | null
  >(null);
@@ -185,8 +193,6 @@ export default function Home() {
  const { isMicrophoneAccessGranted, isCameraAccessGranted, isInitialized } =
    usePermissions();

-  const userInitiatedSyncIds = useRef<Set<string>>(new Set());
-
  const handleSelectGroup = useCallback((groupId: string) => {
    setSelectedGroupId(groupId);
    setSelectedProfiles([]);
@@ -498,23 +504,38 @@ export default function Home() {
      camoufoxConfig?: CamoufoxConfig;
      wayfernConfig?: WayfernConfig;
      groupId?: string;
+      extensionGroupId?: string;
      ephemeral?: boolean;
    }) => {
      try {
-        await invoke<BrowserProfile>("create_browser_profile_new", {
-          name: profileData.name,
-          browserStr: profileData.browserStr,
-          version: profileData.version,
-          releaseType: profileData.releaseType,
-          proxyId: profileData.proxyId,
-          vpnId: profileData.vpnId,
-          camoufoxConfig: profileData.camoufoxConfig,
-          wayfernConfig: profileData.wayfernConfig,
-          groupId:
-            profileData.groupId ||
-            (selectedGroupId !== "default" ? selectedGroupId : undefined),
-          ephemeral: profileData.ephemeral,
-        });
+        const profile = await invoke<BrowserProfile>(
+          "create_browser_profile_new",
+          {
+            name: profileData.name,
+            browserStr: profileData.browserStr,
+            version: profileData.version,
+            releaseType: profileData.releaseType,
+            proxyId: profileData.proxyId,
+            vpnId: profileData.vpnId,
+            camoufoxConfig: profileData.camoufoxConfig,
+            wayfernConfig: profileData.wayfernConfig,
+            groupId:
+              profileData.groupId ||
+              (selectedGroupId !== "default" ? selectedGroupId : undefined),
+            ephemeral: profileData.ephemeral,
+          },
+        );
+
+        if (profileData.extensionGroupId) {
+          try {
+            await invoke("assign_extension_group_to_profile", {
+              profileId: profile.id,
+              extensionGroupId: profileData.extensionGroupId,
+            });
+          } catch (err) {
+            console.error("Failed to assign extension group:", err);
+          }
+        }

        // No need to manually reload - useProfileEvents will handle the update
      } catch (error) {
@@ -523,7 +544,6 @@ export default function Home() {
            error instanceof Error ? error.message : String(error)
          }`,
        );
-        throw error;
      }
    },
    [selectedGroupId],
@@ -541,6 +561,7 @@ export default function Home() {
        if (!dismissed) {
          const proceed = await new Promise<boolean>((resolve) => {
            windowResizeWarningResolver.current = resolve;
+            setWindowResizeWarningBrowserType(profile.browser);
            setWindowResizeWarningOpen(true);
          });
          if (!proceed) {
@@ -565,16 +586,8 @@ export default function Home() {
    }
  }, []);

-  const handleCloneProfile = useCallback(async (profile: BrowserProfile) => {
-    try {
-      await invoke<BrowserProfile>("clone_profile", {
-        profileId: profile.id,
-      });
-    } catch (err: unknown) {
-      console.error("Failed to clone profile:", err);
-      const errorMessage = err instanceof Error ? err.message : String(err);
-      showErrorToast(`Failed to clone profile: ${errorMessage}`);
-    }
+  const handleCloneProfile = useCallback((profile: BrowserProfile) => {
+    setCloneProfile(profile);
  }, []);

  const handleDeleteProfile = useCallback(async (profile: BrowserProfile) => {
@@ -755,9 +768,6 @@ export default function Home() {
          profileId: profile.id,
          syncMode: enabling ? "Regular" : "Disabled",
        });
-        if (enabling) {
-          userInitiatedSyncIds.current.add(profile.id);
-        }
        showSuccessToast(enabling ? "Sync enabled" : "Sync disabled", {
          description: enabling
            ? "Profile sync has been enabled"
@@ -772,17 +782,16 @@ export default function Home() {
  );

  useEffect(() => {
-    let unlisten: (() => void) | undefined;
+    let unlistenStatus: (() => void) | undefined;
+    let unlistenProgress: (() => void) | undefined;
    (async () => {
      try {
-        unlisten = await listen<{
+        unlistenStatus = await listen<{
          profile_id: string;
          status: string;
          error?: string;
        }>("profile-sync-status", (event) => {
          const { profile_id, status, error } = event.payload;
-          if (!userInitiatedSyncIds.current.has(profile_id)) return;
-
          const toastId = `sync-${profile_id}`;
          const profile = profiles.find((p) => p.id === profile_id);
          const name = profile?.name ?? "Unknown";
@@ -792,26 +801,44 @@ export default function Home() {
              type: "loading",
              title: `Syncing profile '${name}'...`,
              id: toastId,
-              duration: 30000,
+              duration: Number.POSITIVE_INFINITY,
+              onCancel: () => dismissToast(toastId),
            });
          } else if (status === "synced") {
            dismissToast(toastId);
            showSuccessToast(`Profile '${name}' synced successfully`);
-            userInitiatedSyncIds.current.delete(profile_id);
          } else if (status === "error") {
            dismissToast(toastId);
            showErrorToast(
              `Failed to sync profile '${name}'${error ? `: ${error}` : ""}`,
            );
-            userInitiatedSyncIds.current.delete(profile_id);
          }
        });
+
+        unlistenProgress = await listen<{
+          profile_id: string;
+          phase: string;
+          total_files?: number;
+          total_bytes?: number;
+        }>("profile-sync-progress", (event) => {
+          const { profile_id, phase, total_files, total_bytes } = event.payload;
+          if (phase !== "started") return;
+
+          const toastId = `sync-${profile_id}`;
+          const profile = profiles.find((p) => p.id === profile_id);
+          const name = profile?.name ?? "Unknown";
+
+          showSyncProgressToast(name, total_files ?? 0, total_bytes ?? 0, {
+            id: toastId,
+          });
+        });
      } catch (error) {
-        console.error("Failed to listen for sync status events:", error);
+        console.error("Failed to listen for sync events:", error);
      }
    })();
    return () => {
-      if (unlisten) unlisten();
+      if (unlistenStatus) unlistenStatus();
+      if (unlistenProgress) unlistenProgress();
    };
  }, [profiles]);

@@ -1012,6 +1039,7 @@ export default function Home() {
            onSettingsDialogOpen={setSettingsDialogOpen}
            onSyncConfigDialogOpen={setSyncConfigDialogOpen}
            onIntegrationsDialogOpen={setIntegrationsDialogOpen}
+            onExtensionManagementDialogOpen={setExtensionManagementDialogOpen}
            searchQuery={searchQuery}
            onSearchQueryChange={setSearchQuery}
          />
@@ -1118,6 +1146,12 @@ export default function Home() {
        onPermissionGranted={checkNextPermission}
      />

+      <CloneProfileDialog
+        isOpen={!!cloneProfile}
+        onClose={() => setCloneProfile(null)}
+        profile={cloneProfile}
+      />
+
      <CamoufoxConfigDialog
        isOpen={camoufoxConfigDialogOpen}
        onClose={() => {
@@ -1142,6 +1176,12 @@ export default function Home() {
        onGroupManagementComplete={handleGroupManagementComplete}
      />

+      <ExtensionManagementDialog
+        isOpen={extensionManagementDialogOpen}
+        onClose={() => setExtensionManagementDialogOpen(false)}
+        limitedMode={!crossOsUnlocked}
+      />
+
      <GroupAssignmentDialog
        isOpen={groupAssignmentDialogOpen}
        onClose={() => {
@@ -1248,6 +1288,7 @@ export default function Home() {

      <WindowResizeWarningDialog
        isOpen={windowResizeWarningOpen}
+        browserType={windowResizeWarningBrowserType}
        onResult={(proceed) => {
          setWindowResizeWarningOpen(false);
          windowResizeWarningResolver.current?.(proceed);
@@ -0,0 +1,109 @@
+"use client";
+
+import { invoke } from "@tauri-apps/api/core";
+import * as React from "react";
+import { useTranslation } from "react-i18next";
+import {
+  Dialog,
+  DialogContent,
+  DialogDescription,
+  DialogFooter,
+  DialogHeader,
+  DialogTitle,
+} from "@/components/ui/dialog";
+import { Input } from "@/components/ui/input";
+import { showErrorToast } from "@/lib/toast-utils";
+import type { BrowserProfile } from "@/types";
+import { LoadingButton } from "./loading-button";
+import { RippleButton } from "./ui/ripple";
+
+interface CloneProfileDialogProps {
+  isOpen: boolean;
+  onClose: () => void;
+  profile: BrowserProfile | null;
+  onCloneComplete?: () => void;
+}
+
+export function CloneProfileDialog({
+  isOpen,
+  onClose,
+  profile,
+  onCloneComplete,
+}: CloneProfileDialogProps) {
+  const { t } = useTranslation();
+  const [name, setName] = React.useState("");
+  const [isLoading, setIsLoading] = React.useState(false);
+  const inputRef = React.useRef<HTMLInputElement>(null);
+
+  React.useEffect(() => {
+    if (isOpen && profile) {
+      const defaultName = `${profile.name} (Copy)`;
+      setName(defaultName);
+      setTimeout(() => {
+        inputRef.current?.focus();
+        inputRef.current?.select();
+      }, 0);
+    } else {
+      setIsLoading(false);
+    }
+  }, [isOpen, profile]);
+
+  if (!profile) return null;
+
+  const handleClone = async () => {
+    if (!name.trim() || isLoading) return;
+    setIsLoading(true);
+    try {
+      await invoke<BrowserProfile>("clone_profile", {
+        profileId: profile.id,
+        name: name.trim(),
+      });
+      onClose();
+      onCloneComplete?.();
+    } catch (err: unknown) {
+      const errorMessage = err instanceof Error ? err.message : String(err);
+      showErrorToast(`Failed to clone profile: ${errorMessage}`);
+    } finally {
+      setIsLoading(false);
+    }
+  };
+
+  return (
+    <Dialog open={isOpen} onOpenChange={(open) => !open && onClose()}>
+      <DialogContent>
+        <DialogHeader>
+          <DialogTitle>{t("profileInfo.clone.title")}</DialogTitle>
+          <DialogDescription>
+            {t("profileInfo.clone.description")}
+          </DialogDescription>
+        </DialogHeader>
+        <Input
+          ref={inputRef}
+          value={name}
+          onChange={(e) => setName(e.target.value)}
+          onKeyDown={(e) => {
+            if (e.key === "Enter") void handleClone();
+          }}
+          placeholder={t("profileInfo.clone.namePlaceholder")}
+          disabled={isLoading}
+        />
+        <DialogFooter>
+          <RippleButton
+            variant="outline"
+            onClick={onClose}
+            disabled={isLoading}
+          >
+            {t("common.buttons.cancel")}
+          </RippleButton>
+          <LoadingButton
+            onClick={() => void handleClone()}
+            isLoading={isLoading}
+            disabled={!name.trim()}
+          >
+            {t("profileInfo.clone.button")}
+          </LoadingButton>
+        </DialogFooter>
+      </DialogContent>
+    </Dialog>
+  );
+}
@@ -74,6 +74,7 @@ interface CreateProfileDialogProps {
    camoufoxConfig?: CamoufoxConfig;
    wayfernConfig?: WayfernConfig;
    groupId?: string;
+    extensionGroupId?: string;
    ephemeral?: boolean;
  }) => Promise<void>;
  selectedGroupId?: string;
@@ -166,6 +167,21 @@ export function CreateProfileDialog({
  const [showProxyForm, setShowProxyForm] = useState(false);
  const [isCreating, setIsCreating] = useState(false);
  const [ephemeral, setEphemeral] = useState(false);
+  const [selectedExtensionGroupId, setSelectedExtensionGroupId] =
+    useState<string>();
+  const [extensionGroups, setExtensionGroups] = useState<
+    { id: string; name: string; extension_ids: string[] }[]
+  >([]);
+
+  useEffect(() => {
+    if (isOpen) {
+      invoke<{ id: string; name: string; extension_ids: string[] }[]>(
+        "list_extension_groups",
+      )
+        .then(setExtensionGroups)
+        .catch(() => setExtensionGroups([]));
+    }
+  }, [isOpen]);
  const [releaseTypes, setReleaseTypes] = useState<BrowserReleaseTypes>();
  const [isLoadingReleaseTypes, setIsLoadingReleaseTypes] = useState(false);
  const [releaseTypesError, setReleaseTypesError] = useState<string | null>(
@@ -179,7 +195,7 @@ export function CreateProfileDialog({
    downloadBrowser,
    loadDownloadedVersions,
    isVersionDownloaded,
-    downloadedVersions,
+    downloadedVersionsMap,
  } = useBrowserDownload();

  const loadSupportedBrowsers = useCallback(async () => {
@@ -344,8 +360,9 @@ export function CreateProfileDialog({
      if (bestVersion && isVersionDownloaded(bestVersion.version)) {
        return bestVersion;
      }
-      if (downloadedVersions.length > 0) {
-        const fallbackVersion = downloadedVersions[0];
+      const browserDownloaded = downloadedVersionsMap[browserType ?? ""] ?? [];
+      if (browserDownloaded.length > 0) {
+        const fallbackVersion = browserDownloaded[0];
        const releaseType =
          browserType === "firefox-developer" ? "nightly" : "stable";
        return {
@@ -355,7 +372,7 @@ export function CreateProfileDialog({
      }
      return null;
    },
-    [getBestAvailableVersion, isVersionDownloaded, downloadedVersions],
+    [getBestAvailableVersion, isVersionDownloaded, downloadedVersionsMap],
  );

  const handleDownload = async (browserStr: string) => {
@@ -405,6 +422,7 @@ export function CreateProfileDialog({
            wayfernConfig: finalWayfernConfig,
            groupId:
              selectedGroupId !== "default" ? selectedGroupId : undefined,
+            extensionGroupId: selectedExtensionGroupId,
            ephemeral,
          });
        } else {
@@ -429,6 +447,7 @@ export function CreateProfileDialog({
            camoufoxConfig: finalCamoufoxConfig,
            groupId:
              selectedGroupId !== "default" ? selectedGroupId : undefined,
+            extensionGroupId: selectedExtensionGroupId,
            ephemeral,
          });
        }
@@ -1073,6 +1092,37 @@ export function CreateProfileDialog({
                            </div>
                          )}
                        </div>
+
+                        {/* Extension Group */}
+                        {extensionGroups.length > 0 && (
+                          <div className="space-y-2">
+                            <Label>{t("extensions.extensionGroup")}</Label>
+                            <Select
+                              value={selectedExtensionGroupId || "none"}
+                              onValueChange={(val) =>
+                                setSelectedExtensionGroupId(
+                                  val === "none" ? undefined : val,
+                                )
+                              }
+                            >
+                              <SelectTrigger>
+                                <SelectValue
+                                  placeholder={t("profileInfo.values.none")}
+                                />
+                              </SelectTrigger>
+                              <SelectContent>
+                                <SelectItem value="none">
+                                  {t("profileInfo.values.none")}
+                                </SelectItem>
+                                {extensionGroups.map((g) => (
+                                  <SelectItem key={g.id} value={g.id}>
+                                    {g.name} ({g.extension_ids.length})
+                                  </SelectItem>
+                                ))}
+                              </SelectContent>
+                            </Select>
+                          </div>
+                        )}
                      </div>
                    </TabsContent>

@@ -0,0 +1,716 @@
+"use client";
+
+import { invoke } from "@tauri-apps/api/core";
+import { useCallback, useEffect, useState } from "react";
+import { useTranslation } from "react-i18next";
+import { GoPlus } from "react-icons/go";
+import { LuPencil, LuPuzzle, LuTrash2, LuUpload } from "react-icons/lu";
+import { Badge } from "@/components/ui/badge";
+import { Button } from "@/components/ui/button";
+import {
+  Dialog,
+  DialogContent,
+  DialogDescription,
+  DialogFooter,
+  DialogHeader,
+  DialogTitle,
+} from "@/components/ui/dialog";
+import { Input } from "@/components/ui/input";
+import { Label } from "@/components/ui/label";
+import { ProBadge } from "@/components/ui/pro-badge";
+import { ScrollArea } from "@/components/ui/scroll-area";
+import {
+  Select,
+  SelectContent,
+  SelectItem,
+  SelectTrigger,
+  SelectValue,
+} from "@/components/ui/select";
+import {
+  Table,
+  TableBody,
+  TableCell,
+  TableHead,
+  TableHeader,
+  TableRow,
+} from "@/components/ui/table";
+import {
+  Tooltip,
+  TooltipContent,
+  TooltipTrigger,
+} from "@/components/ui/tooltip";
+import { showErrorToast, showSuccessToast } from "@/lib/toast-utils";
+import type { Extension, ExtensionGroup } from "@/types";
+import { DeleteConfirmationDialog } from "./delete-confirmation-dialog";
+import { RippleButton } from "./ui/ripple";
+
+interface ExtensionManagementDialogProps {
+  isOpen: boolean;
+  onClose: () => void;
+  limitedMode: boolean;
+}
+
+export function ExtensionManagementDialog({
+  isOpen,
+  onClose,
+  limitedMode,
+}: ExtensionManagementDialogProps) {
+  const { t } = useTranslation();
+  const [extensions, setExtensions] = useState<Extension[]>([]);
+  const [extensionGroups, setExtensionGroups] = useState<ExtensionGroup[]>([]);
+  const [isLoading, setIsLoading] = useState(false);
+
+  // Extension upload state
+  const [isUploading, setIsUploading] = useState(false);
+  const [extensionName, setExtensionName] = useState("");
+  const [showUploadForm, setShowUploadForm] = useState(false);
+  const [pendingFile, setPendingFile] = useState<{
+    name: string;
+    data: number[];
+  } | null>(null);
+
+  // Group state
+  const [showCreateGroup, setShowCreateGroup] = useState(false);
+  const [newGroupName, setNewGroupName] = useState("");
+  const [editingGroup, setEditingGroup] = useState<ExtensionGroup | null>(null);
+  const [editGroupName, setEditGroupName] = useState("");
+
+  // Delete state
+  const [extensionToDelete, setExtensionToDelete] = useState<Extension | null>(
+    null,
+  );
+  const [groupToDelete, setGroupToDelete] = useState<ExtensionGroup | null>(
+    null,
+  );
+  const [isDeleting, setIsDeleting] = useState(false);
+
+  // Tab
+  const [activeTab, setActiveTab] = useState<"extensions" | "groups">(
+    "extensions",
+  );
+
+  const loadData = useCallback(async () => {
+    if (limitedMode) return;
+    setIsLoading(true);
+    try {
+      const [exts, groups] = await Promise.all([
+        invoke<Extension[]>("list_extensions"),
+        invoke<ExtensionGroup[]>("list_extension_groups"),
+      ]);
+      setExtensions(exts);
+      setExtensionGroups(groups);
+    } catch {
+      // User may not have pro subscription
+      setExtensions([]);
+      setExtensionGroups([]);
+    } finally {
+      setIsLoading(false);
+    }
+  }, [limitedMode]);
+
+  useEffect(() => {
+    if (isOpen) {
+      void loadData();
+    }
+  }, [isOpen, loadData]);
+
+  const handleFileSelect = useCallback(
+    (e: React.ChangeEvent<HTMLInputElement>) => {
+      const file = e.target.files?.[0];
+      if (!file) return;
+
+      const validExtensions = [".xpi", ".crx", ".zip"];
+      const isValid = validExtensions.some((ext) =>
+        file.name.toLowerCase().endsWith(ext),
+      );
+      if (!isValid) {
+        showErrorToast(t("extensions.invalidFileType"));
+        return;
+      }
+
+      const reader = new FileReader();
+      reader.onload = (event) => {
+        const arrayBuffer = event.target?.result as ArrayBuffer;
+        const data = Array.from(new Uint8Array(arrayBuffer));
+        const baseName = file.name
+          .replace(/\.(xpi|crx|zip)$/i, "")
+          .replace(/[-_]/g, " ");
+        setExtensionName(baseName);
+        setPendingFile({ name: file.name, data });
+        setShowUploadForm(true);
+      };
+      reader.onerror = () => {
+        showErrorToast(t("extensions.readError"));
+      };
+      reader.readAsArrayBuffer(file);
+
+      // Reset input
+      e.target.value = "";
+    },
+    [t],
+  );
+
+  const handleUpload = useCallback(async () => {
+    if (!pendingFile || !extensionName.trim()) return;
+    setIsUploading(true);
+    try {
+      await invoke("add_extension", {
+        name: extensionName.trim(),
+        fileName: pendingFile.name,
+        fileData: pendingFile.data,
+      });
+      showSuccessToast(t("extensions.uploadSuccess"));
+      setShowUploadForm(false);
+      setPendingFile(null);
+      setExtensionName("");
+      void loadData();
+    } catch (err) {
+      showErrorToast(err instanceof Error ? err.message : String(err));
+    } finally {
+      setIsUploading(false);
+    }
+  }, [pendingFile, extensionName, loadData, t]);
+
+  const handleDeleteExtension = useCallback(async () => {
+    if (!extensionToDelete) return;
+    setIsDeleting(true);
+    try {
+      await invoke("delete_extension", { extensionId: extensionToDelete.id });
+      showSuccessToast(t("extensions.deleteSuccess"));
+      setExtensionToDelete(null);
+      void loadData();
+    } catch (err) {
+      showErrorToast(err instanceof Error ? err.message : String(err));
+    } finally {
+      setIsDeleting(false);
+    }
+  }, [extensionToDelete, loadData, t]);
+
+  const handleCreateGroup = useCallback(async () => {
+    if (!newGroupName.trim()) return;
+    try {
+      await invoke("create_extension_group", { name: newGroupName.trim() });
+      showSuccessToast(t("extensions.groupCreateSuccess"));
+      setShowCreateGroup(false);
+      setNewGroupName("");
+      void loadData();
+    } catch (err) {
+      showErrorToast(err instanceof Error ? err.message : String(err));
+    }
+  }, [newGroupName, loadData, t]);
+
+  const handleUpdateGroup = useCallback(async () => {
+    if (!editingGroup || !editGroupName.trim()) return;
+    try {
+      await invoke("update_extension_group", {
+        groupId: editingGroup.id,
+        name: editGroupName.trim(),
+      });
+      showSuccessToast(t("extensions.groupUpdateSuccess"));
+      setEditingGroup(null);
+      setEditGroupName("");
+      void loadData();
+    } catch (err) {
+      showErrorToast(err instanceof Error ? err.message : String(err));
+    }
+  }, [editingGroup, editGroupName, loadData, t]);
+
+  const handleDeleteGroup = useCallback(async () => {
+    if (!groupToDelete) return;
+    setIsDeleting(true);
+    try {
+      await invoke("delete_extension_group", { groupId: groupToDelete.id });
+      showSuccessToast(t("extensions.groupDeleteSuccess"));
+      setGroupToDelete(null);
+      void loadData();
+    } catch (err) {
+      showErrorToast(err instanceof Error ? err.message : String(err));
+    } finally {
+      setIsDeleting(false);
+    }
+  }, [groupToDelete, loadData, t]);
+
+  const handleAddToGroup = useCallback(
+    async (groupId: string, extensionId: string) => {
+      try {
+        await invoke("add_extension_to_group", { groupId, extensionId });
+        void loadData();
+      } catch (err) {
+        showErrorToast(err instanceof Error ? err.message : String(err));
+      }
+    },
+    [loadData],
+  );
+
+  const handleRemoveFromGroup = useCallback(
+    async (groupId: string, extensionId: string) => {
+      try {
+        await invoke("remove_extension_from_group", { groupId, extensionId });
+        void loadData();
+      } catch (err) {
+        showErrorToast(err instanceof Error ? err.message : String(err));
+      }
+    },
+    [loadData],
+  );
+
+  const getCompatibilityBadge = (compat: string[]) => {
+    if (compat.includes("chromium") && compat.includes("firefox")) {
+      return (
+        <Badge variant="secondary">{t("extensions.compatibility.both")}</Badge>
+      );
+    }
+    if (compat.includes("chromium")) {
+      return (
+        <Badge variant="secondary">
+          {t("extensions.compatibility.chromium")}
+        </Badge>
+      );
+    }
+    if (compat.includes("firefox")) {
+      return (
+        <Badge variant="secondary">
+          {t("extensions.compatibility.firefox")}
+        </Badge>
+      );
+    }
+    return null;
+  };
+
+  return (
+    <>
+      <Dialog open={isOpen} onOpenChange={onClose}>
+        <DialogContent className="max-w-2xl">
+          <DialogHeader>
+            <DialogTitle className="flex items-center gap-2">
+              <LuPuzzle className="w-5 h-5" />
+              {t("extensions.title")}
+              {limitedMode && <ProBadge />}
+            </DialogTitle>
+            <DialogDescription>{t("extensions.description")}</DialogDescription>
+          </DialogHeader>
+
+          <div className="relative">
+            {limitedMode && (
+              <>
+                <div className="absolute inset-0 backdrop-blur-[6px] bg-background/30 z-[1]" />
+                <div className="absolute inset-y-0 left-0 w-6 bg-gradient-to-r from-background to-transparent z-[2]" />
+                <div className="absolute inset-y-0 right-0 w-6 bg-gradient-to-l from-background to-transparent z-[2]" />
+                <div className="absolute inset-x-0 top-0 h-6 bg-gradient-to-b from-background to-transparent z-[2]" />
+                <div className="absolute inset-x-0 bottom-0 h-6 bg-gradient-to-t from-background to-transparent z-[2]" />
+                <div className="absolute inset-0 flex items-center justify-center z-[3]">
+                  <div className="flex items-center gap-2 rounded-md bg-background/80 px-3 py-1.5">
+                    <ProBadge />
+                    <span className="text-sm font-medium text-muted-foreground">
+                      {t("extensions.proRequired")}
+                    </span>
+                  </div>
+                </div>
+              </>
+            )}
+
+            <div className="space-y-4">
+              {/* Tab selector */}
+              <div className="flex gap-2 border-b">
+                <button
+                  type="button"
+                  className={`px-3 py-2 text-sm font-medium border-b-2 transition-colors ${
+                    activeTab === "extensions"
+                      ? "border-primary text-foreground"
+                      : "border-transparent text-muted-foreground hover:text-foreground"
+                  }`}
+                  onClick={() => setActiveTab("extensions")}
+                  disabled={limitedMode}
+                >
+                  {t("extensions.extensionsTab")}
+                </button>
+                <button
+                  type="button"
+                  className={`px-3 py-2 text-sm font-medium border-b-2 transition-colors ${
+                    activeTab === "groups"
+                      ? "border-primary text-foreground"
+                      : "border-transparent text-muted-foreground hover:text-foreground"
+                  }`}
+                  onClick={() => setActiveTab("groups")}
+                  disabled={limitedMode}
+                >
+                  {t("extensions.groupsTab")}
+                </button>
+              </div>
+
+              {/* Notice */}
+              <div className="rounded-md bg-muted/50 p-3 text-sm text-muted-foreground">
+                {t("extensions.managedNotice")}
+              </div>
+
+              {activeTab === "extensions" && (
+                <div className="space-y-4">
+                  <div className="flex justify-between items-center">
+                    <Label>{t("extensions.extensionsTab")}</Label>
+                    <div>
+                      <label htmlFor="ext-file-input">
+                        <RippleButton
+                          size="sm"
+                          className="flex gap-2 items-center"
+                          disabled={limitedMode}
+                          onClick={() =>
+                            document.getElementById("ext-file-input")?.click()
+                          }
+                        >
+                          <LuUpload className="w-4 h-4" />
+                          {t("extensions.upload")}
+                        </RippleButton>
+                      </label>
+                      <input
+                        id="ext-file-input"
+                        type="file"
+                        accept=".xpi,.crx,.zip"
+                        className="hidden"
+                        onChange={handleFileSelect}
+                        disabled={limitedMode}
+                      />
+                    </div>
+                  </div>
+
+                  {/* Upload form */}
+                  {showUploadForm && pendingFile && (
+                    <div className="space-y-3 rounded-md border p-3">
+                      <div className="text-sm text-muted-foreground">
+                        {t("extensions.selectedFile")}:{" "}
+                        <span className="font-medium text-foreground">
+                          {pendingFile.name}
+                        </span>
+                      </div>
+                      <div className="flex gap-2">
+                        <Input
+                          value={extensionName}
+                          onChange={(e) => setExtensionName(e.target.value)}
+                          placeholder={t("extensions.namePlaceholder")}
+                          className="flex-1"
+                        />
+                        <RippleButton
+                          size="sm"
+                          onClick={handleUpload}
+                          disabled={isUploading || !extensionName.trim()}
+                        >
+                          {isUploading
+                            ? t("common.buttons.loading")
+                            : t("common.buttons.add")}
+                        </RippleButton>
+                        <Button
+                          size="sm"
+                          variant="outline"
+                          onClick={() => {
+                            setShowUploadForm(false);
+                            setPendingFile(null);
+                            setExtensionName("");
+                          }}
+                        >
+                          {t("common.buttons.cancel")}
+                        </Button>
+                      </div>
+                    </div>
+                  )}
+
+                  {/* Extensions list */}
+                  {isLoading ? (
+                    <div className="text-sm text-muted-foreground">
+                      {t("common.buttons.loading")}
+                    </div>
+                  ) : extensions.length === 0 ? (
+                    <div className="text-sm text-muted-foreground">
+                      {t("extensions.empty")}
+                    </div>
+                  ) : (
+                    <div className="border rounded-md">
+                      <ScrollArea className="h-[200px]">
+                        <Table>
+                          <TableHeader>
+                            <TableRow>
+                              <TableHead>{t("common.labels.name")}</TableHead>
+                              <TableHead className="w-24">
+                                {t("common.labels.type")}
+                              </TableHead>
+                              <TableHead className="w-32">
+                                {t("extensions.compatibility.label")}
+                              </TableHead>
+                              <TableHead className="w-20">
+                                {t("common.labels.actions")}
+                              </TableHead>
+                            </TableRow>
+                          </TableHeader>
+                          <TableBody>
+                            {extensions.map((ext) => (
+                              <TableRow key={ext.id}>
+                                <TableCell className="font-medium">
+                                  {ext.name}
+                                </TableCell>
+                                <TableCell>
+                                  <Badge variant="outline">
+                                    .{ext.file_type}
+                                  </Badge>
+                                </TableCell>
+                                <TableCell>
+                                  {getCompatibilityBadge(
+                                    ext.browser_compatibility,
+                                  )}
+                                </TableCell>
+                                <TableCell>
+                                  <Tooltip>
+                                    <TooltipTrigger asChild>
+                                      <Button
+                                        variant="ghost"
+                                        size="sm"
+                                        onClick={() =>
+                                          setExtensionToDelete(ext)
+                                        }
+                                      >
+                                        <LuTrash2 className="w-4 h-4" />
+                                      </Button>
+                                    </TooltipTrigger>
+                                    <TooltipContent>
+                                      {t("extensions.delete")}
+                                    </TooltipContent>
+                                  </Tooltip>
+                                </TableCell>
+                              </TableRow>
+                            ))}
+                          </TableBody>
+                        </Table>
+                      </ScrollArea>
+                    </div>
+                  )}
+                </div>
+              )}
+
+              {activeTab === "groups" && (
+                <div className="space-y-4">
+                  <div className="flex justify-between items-center">
+                    <Label>{t("extensions.groupsTab")}</Label>
+                    <RippleButton
+                      size="sm"
+                      onClick={() => setShowCreateGroup(true)}
+                      className="flex gap-2 items-center"
+                      disabled={limitedMode}
+                    >
+                      <GoPlus className="w-4 h-4" />
+                      {t("extensions.createGroup")}
+                    </RippleButton>
+                  </div>
+
+                  {/* Create group form */}
+                  {showCreateGroup && (
+                    <div className="flex gap-2 items-center">
+                      <Input
+                        value={newGroupName}
+                        onChange={(e) => setNewGroupName(e.target.value)}
+                        placeholder={t("extensions.groupNamePlaceholder")}
+                        className="flex-1"
+                        onKeyDown={(e) => {
+                          if (e.key === "Enter") void handleCreateGroup();
+                        }}
+                      />
+                      <RippleButton
+                        size="sm"
+                        onClick={handleCreateGroup}
+                        disabled={!newGroupName.trim()}
+                      >
+                        {t("common.buttons.create")}
+                      </RippleButton>
+                      <Button
+                        size="sm"
+                        variant="outline"
+                        onClick={() => {
+                          setShowCreateGroup(false);
+                          setNewGroupName("");
+                        }}
+                      >
+                        {t("common.buttons.cancel")}
+                      </Button>
+                    </div>
+                  )}
+
+                  {/* Groups list */}
+                  {extensionGroups.length === 0 ? (
+                    <div className="text-sm text-muted-foreground">
+                      {t("extensions.noGroups")}
+                    </div>
+                  ) : (
+                    <div className="space-y-3">
+                      {extensionGroups.map((group) => (
+                        <div
+                          key={group.id}
+                          className="rounded-md border p-3 space-y-2"
+                        >
+                          <div className="flex justify-between items-center">
+                            {editingGroup?.id === group.id ? (
+                              <div className="flex gap-2 items-center flex-1">
+                                <Input
+                                  value={editGroupName}
+                                  onChange={(e) =>
+                                    setEditGroupName(e.target.value)
+                                  }
+                                  className="flex-1"
+                                  onKeyDown={(e) => {
+                                    if (e.key === "Enter")
+                                      void handleUpdateGroup();
+                                  }}
+                                />
+                                <RippleButton
+                                  size="sm"
+                                  onClick={handleUpdateGroup}
+                                >
+                                  {t("common.buttons.save")}
+                                </RippleButton>
+                                <Button
+                                  size="sm"
+                                  variant="outline"
+                                  onClick={() => setEditingGroup(null)}
+                                >
+                                  {t("common.buttons.cancel")}
+                                </Button>
+                              </div>
+                            ) : (
+                              <>
+                                <span className="font-medium">
+                                  {group.name}
+                                </span>
+                                <div className="flex gap-1">
+                                  <Tooltip>
+                                    <TooltipTrigger asChild>
+                                      <Button
+                                        variant="ghost"
+                                        size="sm"
+                                        onClick={() => {
+                                          setEditingGroup(group);
+                                          setEditGroupName(group.name);
+                                        }}
+                                      >
+                                        <LuPencil className="w-4 h-4" />
+                                      </Button>
+                                    </TooltipTrigger>
+                                    <TooltipContent>
+                                      {t("common.buttons.edit")}
+                                    </TooltipContent>
+                                  </Tooltip>
+                                  <Tooltip>
+                                    <TooltipTrigger asChild>
+                                      <Button
+                                        variant="ghost"
+                                        size="sm"
+                                        onClick={() => setGroupToDelete(group)}
+                                      >
+                                        <LuTrash2 className="w-4 h-4" />
+                                      </Button>
+                                    </TooltipTrigger>
+                                    <TooltipContent>
+                                      {t("extensions.deleteGroup")}
+                                    </TooltipContent>
+                                  </Tooltip>
+                                </div>
+                              </>
+                            )}
+                          </div>
+
+                          {/* Extension assignment */}
+                          <div className="space-y-1">
+                            {group.extension_ids.length > 0 && (
+                              <div className="flex flex-wrap gap-1">
+                                {group.extension_ids.map((extId) => {
+                                  const ext = extensions.find(
+                                    (e) => e.id === extId,
+                                  );
+                                  if (!ext) return null;
+                                  return (
+                                    <Badge
+                                      key={extId}
+                                      variant="secondary"
+                                      className="flex items-center gap-1"
+                                    >
+                                      {ext.name}
+                                      <button
+                                        type="button"
+                                        className="ml-1 hover:text-destructive"
+                                        onClick={() =>
+                                          handleRemoveFromGroup(group.id, extId)
+                                        }
+                                      >
+                                        ×
+                                      </button>
+                                    </Badge>
+                                  );
+                                })}
+                              </div>
+                            )}
+                            {extensions.filter(
+                              (e) => !group.extension_ids.includes(e.id),
+                            ).length > 0 && (
+                              <Select
+                                value=""
+                                onValueChange={(extId) =>
+                                  handleAddToGroup(group.id, extId)
+                                }
+                              >
+                                <SelectTrigger className="h-8 text-xs">
+                                  <SelectValue
+                                    placeholder={t("extensions.addToGroup")}
+                                  />
+                                </SelectTrigger>
+                                <SelectContent>
+                                  {extensions
+                                    .filter(
+                                      (e) =>
+                                        !group.extension_ids.includes(e.id),
+                                    )
+                                    .map((ext) => (
+                                      <SelectItem key={ext.id} value={ext.id}>
+                                        {ext.name} (.{ext.file_type})
+                                      </SelectItem>
+                                    ))}
+                                </SelectContent>
+                              </Select>
+                            )}
+                          </div>
+                        </div>
+                      ))}
+                    </div>
+                  )}
+                </div>
+              )}
+            </div>
+          </div>
+
+          <DialogFooter>
+            <RippleButton variant="outline" onClick={onClose}>
+              {t("common.buttons.close")}
+            </RippleButton>
+          </DialogFooter>
+        </DialogContent>
+      </Dialog>
+
+      {/* Delete extension confirmation */}
+      <DeleteConfirmationDialog
+        isOpen={extensionToDelete !== null}
+        onClose={() => setExtensionToDelete(null)}
+        onConfirm={handleDeleteExtension}
+        title={t("extensions.deleteConfirmTitle")}
+        description={t("extensions.deleteConfirmDescription", {
+          name: extensionToDelete?.name ?? "",
+        })}
+        isLoading={isDeleting}
+      />
+
+      {/* Delete group confirmation */}
+      <DeleteConfirmationDialog
+        isOpen={groupToDelete !== null}
+        onClose={() => setGroupToDelete(null)}
+        onConfirm={handleDeleteGroup}
+        title={t("extensions.deleteGroupConfirmTitle")}
+        description={t("extensions.deleteGroupConfirmDescription", {
+          name: groupToDelete?.name ?? "",
+        })}
+        isLoading={isDeleting}
+      />
+    </>
+  );
+}
@@ -2,7 +2,14 @@ import { useTranslation } from "react-i18next";
 import { FaDownload } from "react-icons/fa";
 import { FiWifi } from "react-icons/fi";
 import { GoGear, GoKebabHorizontal, GoPlus } from "react-icons/go";
-import { LuCloud, LuPlug, LuSearch, LuUsers, LuX } from "react-icons/lu";
+import {
+  LuCloud,
+  LuPlug,
+  LuPuzzle,
+  LuSearch,
+  LuUsers,
+  LuX,
+} from "react-icons/lu";
 import { Logo } from "./icons/logo";
 import { Button } from "./ui/button";
 import { CardTitle } from "./ui/card";
@@ -23,6 +30,7 @@ type Props = {
  onCreateProfileDialogOpen: (open: boolean) => void;
  onSyncConfigDialogOpen: (open: boolean) => void;
  onIntegrationsDialogOpen: (open: boolean) => void;
+  onExtensionManagementDialogOpen: (open: boolean) => void;
  searchQuery: string;
  onSearchQueryChange: (query: string) => void;
 };
@@ -35,6 +43,7 @@ const HomeHeader = ({
  onCreateProfileDialogOpen,
  onSyncConfigDialogOpen,
  onIntegrationsDialogOpen,
+  onExtensionManagementDialogOpen,
  searchQuery,
  onSearchQueryChange,
 }: Props) => {
@@ -124,6 +133,14 @@ const HomeHeader = ({
              <LuUsers className="mr-2 w-4 h-4" />
              {t("header.menu.groups")}
            </DropdownMenuItem>
+            <DropdownMenuItem
+              onClick={() => {
+                onExtensionManagementDialogOpen(true);
+              }}
+            >
+              <LuPuzzle className="mr-2 w-4 h-4" />
+              {t("header.menu.extensions")}
+            </DropdownMenuItem>
            <DropdownMenuItem
              onClick={() => {
                onSyncConfigDialogOpen(true);
@@ -16,16 +16,18 @@ import * as React from "react";
 import { useTranslation } from "react-i18next";
 import { FaApple, FaLinux, FaWindows } from "react-icons/fa";
 import { FiWifi } from "react-icons/fi";
-import { IoEllipsisHorizontal } from "react-icons/io5";
 import {
  LuCheck,
  LuChevronDown,
  LuChevronUp,
  LuCookie,
+  LuInfo,
+  LuLock,
  LuTrash2,
  LuUsers,
 } from "react-icons/lu";
 import { DeleteConfirmationDialog } from "@/components/delete-confirmation-dialog";
+import { ProfileInfoDialog } from "@/components/profile-info-dialog";
 import { Badge } from "@/components/ui/badge";
 import { Button } from "@/components/ui/button";
 import { Checkbox } from "@/components/ui/checkbox";
@@ -37,18 +39,11 @@ import {
  CommandItem,
  CommandList,
 } from "@/components/ui/command";
-import {
-  DropdownMenu,
-  DropdownMenuContent,
-  DropdownMenuItem,
-  DropdownMenuTrigger,
-} from "@/components/ui/dropdown-menu";
 import {
  Popover,
  PopoverContent,
  PopoverTrigger,
 } from "@/components/ui/popover";
-import { ProBadge } from "@/components/ui/pro-badge";
 import { ScrollArea } from "@/components/ui/scroll-area";
 import {
  Table,
@@ -64,8 +59,10 @@ import {
  TooltipTrigger,
 } from "@/components/ui/tooltip";
 import { useBrowserState } from "@/hooks/use-browser-state";
+import { useCloudAuth } from "@/hooks/use-cloud-auth";
 import { useProxyEvents } from "@/hooks/use-proxy-events";
 import { useTableSorting } from "@/hooks/use-table-sorting";
+import { useTeamLocks } from "@/hooks/use-team-locks";
 import { useVpnEvents } from "@/hooks/use-vpn-events";
 import {
  getBrowserDisplayName,
@@ -199,9 +196,18 @@ type TableMeta = {
    profileId: string,
    country: LocationItem,
  ) => Promise<void>;
+
+  // Team locks
+  isProfileLockedByAnother: (profileId: string) => boolean;
+  getProfileLockEmail: (profileId: string) => string | undefined;
 };

-type SyncStatusDot = { color: string; tooltip: string; animate: boolean };
+type SyncStatusDot = {
+  color: string;
+  tooltip: string;
+  animate: boolean;
+  encrypted: boolean;
+};

 function getProfileSyncStatusDot(
  profile: BrowserProfile,
@@ -214,6 +220,7 @@ function getProfileSyncStatusDot(
    | undefined,
  errorMessage?: string,
 ): SyncStatusDot | null {
+  const encrypted = profile.sync_mode === "Encrypted";
  const status =
    liveStatus ??
    (profile.sync_mode && profile.sync_mode !== "Disabled"
@@ -222,12 +229,18 @@ function getProfileSyncStatusDot(

  switch (status) {
    case "syncing":
-      return { color: "bg-yellow-500", tooltip: "Syncing...", animate: true };
+      return {
+        color: "bg-yellow-500",
+        tooltip: "Syncing...",
+        animate: true,
+        encrypted,
+      };
    case "waiting":
      return {
        color: "bg-yellow-500",
        tooltip: "Waiting to sync",
        animate: false,
+        encrypted,
      };
    case "synced":
      return {
@@ -236,12 +249,14 @@ function getProfileSyncStatusDot(
          ? `Synced ${new Date(profile.last_sync * 1000).toLocaleString()}`
          : "Synced",
        animate: false,
+        encrypted,
      };
    case "error":
      return {
        color: "bg-red-500",
        tooltip: errorMessage ? `Sync error: ${errorMessage}` : "Sync error",
        animate: false,
+        encrypted,
      };
    case "disabled":
      if (profile.last_sync) {
@@ -249,6 +264,7 @@ function getProfileSyncStatusDot(
          color: "bg-gray-400",
          tooltip: `Sync disabled, last sync ${formatRelativeTime(profile.last_sync)}`,
          animate: false,
+          encrypted: false,
        };
      }
      return null;
@@ -868,6 +884,8 @@ export function ProfilesDataTable({
  const [profileToDelete, setProfileToDelete] =
    React.useState<BrowserProfile | null>(null);
  const [isDeleting, setIsDeleting] = React.useState(false);
+  const [profileForInfoDialog, setProfileForInfoDialog] =
+    React.useState<BrowserProfile | null>(null);
  const [launchingProfiles, setLaunchingProfiles] = React.useState<Set<string>>(
    new Set(),
  );
@@ -877,6 +895,8 @@ export function ProfilesDataTable({

  const { storedProxies } = useProxyEvents();
  const { vpnConfigs } = useVpnEvents();
+  const { user } = useCloudAuth();
+  const { isProfileLocked, getLockInfo } = useTeamLocks(user?.id);

  const [proxyOverrides, setProxyOverrides] = React.useState<
    Record<string, string | null>
@@ -1492,6 +1512,11 @@ export function ProfilesDataTable({
      canCreateLocationProxy,
      loadCountries,
      handleCreateCountryProxy,
+
+      // Team locks
+      isProfileLockedByAnother: isProfileLocked,
+      getProfileLockEmail: (profileId: string) =>
+        getLockInfo(profileId)?.lockedByEmail,
    }),
    [
      t,
@@ -1544,6 +1569,8 @@ export function ProfilesDataTable({
      canCreateLocationProxy,
      loadCountries,
      handleCreateCountryProxy,
+      isProfileLocked,
+      getLockInfo,
    ],
  );

@@ -1586,6 +1613,7 @@ export function ProfilesDataTable({
            const osName = profile.host_os
              ? getOSDisplayName(profile.host_os)
              : "another OS";
+            const crossOsTooltip = t("crossOs.viewOnly", { os: osName });
            const OsIcon =
              profile.host_os === "macos"
                ? FaApple
@@ -1610,10 +1638,7 @@ export function ProfilesDataTable({
                  </span>
                </TooltipTrigger>
                <TooltipContent>
-                  <p>
-                    This profile was created on {osName} and is not supported on
-                    this system
-                  </p>
+                  <p>{crossOsTooltip}</p>
                </TooltipContent>
              </Tooltip>
            );
@@ -1624,14 +1649,10 @@ export function ProfilesDataTable({
            const osName = profile.host_os
              ? getOSDisplayName(profile.host_os)
              : "another OS";
+            const crossOsTooltip = t("crossOs.viewOnly", { os: osName });
            return (
              <NonHoverableTooltip
-                content={
-                  <p>
-                    This profile was created on {osName} and is not supported on
-                    this system
-                  </p>
-                }
+                content={<p>{crossOsTooltip}</p>}
                sideOffset={4}
                horizontalOffset={8}
              >
@@ -1734,9 +1755,13 @@ export function ProfilesDataTable({
            meta.isClient && meta.runningProfiles.has(profile.id);
          const isLaunching = meta.launchingProfiles.has(profile.id);
          const isStopping = meta.stoppingProfiles.has(profile.id);
-          const canLaunch = meta.browserState.canLaunchProfile(profile);
-          const tooltipContent =
-            meta.browserState.getLaunchTooltipContent(profile);
+          const isLockedByAnother = meta.isProfileLockedByAnother(profile.id);
+          const canLaunch =
+            meta.browserState.canLaunchProfile(profile) && !isLockedByAnother;
+          const lockEmail = meta.getProfileLockEmail(profile.id);
+          const tooltipContent = isLockedByAnother
+            ? meta.t("sync.team.cannotLaunchLocked", { email: lockEmail })
+            : meta.browserState.getLaunchTooltipContent(profile);

          const handleProfileStop = async (profile: BrowserProfile) => {
            meta.setStoppingProfiles((prev: Set<string>) =>
@@ -1900,34 +1925,50 @@ export function ProfilesDataTable({
          const isStopping = meta.stoppingProfiles.has(profile.id);
          const isDisabled =
            isRunning || isLaunching || isStopping || isCrossOs;
+          const lockedEmail = meta.getProfileLockEmail(profile.id);
+          const isLocked = meta.isProfileLockedByAnother(profile.id);

          return (
-            <button
-              type="button"
-              className={cn(
-                "px-2 py-1 mr-auto text-left bg-transparent rounded border-none w-30 h-6",
-                isDisabled
-                  ? "opacity-60 cursor-not-allowed"
-                  : "cursor-pointer hover:bg-accent/50",
-              )}
-              onClick={() => {
-                if (isDisabled) return;
-                meta.setProfileToRename(profile);
-                meta.setNewProfileName(profile.name);
-                meta.setRenameError(null);
-              }}
-              onKeyDown={(e) => {
-                if (isDisabled) return;
-                if (e.key === "Enter" || e.key === " ") {
-                  e.preventDefault();
+            <div className="flex items-center gap-1">
+              <button
+                type="button"
+                className={cn(
+                  "px-2 py-1 mr-auto text-left bg-transparent rounded border-none w-30 h-6",
+                  isDisabled
+                    ? "opacity-60 cursor-not-allowed"
+                    : "cursor-pointer hover:bg-accent/50",
+                )}
+                onClick={() => {
+                  if (isDisabled) return;
                  meta.setProfileToRename(profile);
                  meta.setNewProfileName(profile.name);
                  meta.setRenameError(null);
-                }
-              }}
-            >
-              {display}
-            </button>
+                }}
+                onKeyDown={(e) => {
+                  if (isDisabled) return;
+                  if (e.key === "Enter" || e.key === " ") {
+                    e.preventDefault();
+                    meta.setProfileToRename(profile);
+                    meta.setNewProfileName(profile.name);
+                    meta.setRenameError(null);
+                  }
+                }}
+              >
+                {display}
+              </button>
+              {isLocked && (
+                <Tooltip>
+                  <TooltipTrigger asChild>
+                    <span>
+                      <LuLock className="w-3 h-3 text-muted-foreground" />
+                    </span>
+                  </TooltipTrigger>
+                  <TooltipContent>
+                    {meta.t("sync.team.profileLocked", { email: lockedEmail })}
+                  </TooltipContent>
+                </Tooltip>
+              )}
+            </div>
          );
        },
      },
@@ -2277,9 +2318,15 @@ export function ProfilesDataTable({
            <Tooltip>
              <TooltipTrigger asChild>
                <span className="flex justify-center items-center w-3 h-3">
-                  <span
-                    className={`w-2 h-2 rounded-full ${dot.color}${dot.animate ? " animate-pulse" : ""}`}
-                  />
+                  {dot.encrypted ? (
+                    <LuLock
+                      className={`w-3 h-3 ${dot.color.replace("bg-", "text-")}${dot.animate ? " animate-pulse" : ""}`}
+                    />
+                  ) : (
+                    <span
+                      className={`w-2 h-2 rounded-full ${dot.color}${dot.animate ? " animate-pulse" : ""}`}
+                    />
+                  )}
                </span>
              </TooltipTrigger>
              <TooltipContent>{dot.tooltip}</TooltipContent>
@@ -2289,132 +2336,28 @@ export function ProfilesDataTable({
      },
      {
        id: "settings",
+        size: 40,
        cell: ({ row, table }) => {
          const meta = table.options.meta as TableMeta;
          const profile = row.original;
-          const isCrossOs = isCrossOsProfile(profile);
-          const isRunning =
-            meta.isClient && meta.runningProfiles.has(profile.id);
-          const isLaunching = meta.launchingProfiles.has(profile.id);
-          const isStopping = meta.stoppingProfiles.has(profile.id);
-          const isDisabled =
-            isRunning || isLaunching || isStopping || isCrossOs;
-          const isDeleteDisabled = isRunning || isLaunching || isStopping;

          return (
            <div className="flex justify-end items-center">
-              <DropdownMenu>
-                <DropdownMenuTrigger asChild>
-                  <Button
-                    variant="ghost"
-                    className="p-0 w-8 h-8"
-                    disabled={!meta.isClient}
-                  >
-                    <span className="sr-only">Open menu</span>
-                    <IoEllipsisHorizontal className="w-4 h-4" />
-                  </Button>
-                </DropdownMenuTrigger>
-                <DropdownMenuContent align="end">
-                  <DropdownMenuItem
-                    onClick={() => {
-                      meta.onOpenTrafficDialog?.(profile.id);
-                    }}
-                    disabled={isCrossOs}
-                  >
-                    {meta.t("profiles.actions.viewNetwork")}
-                  </DropdownMenuItem>
-                  {!profile.ephemeral && (
-                    <DropdownMenuItem
-                      onClick={() => {
-                        meta.onOpenProfileSyncDialog?.(profile);
-                      }}
-                      disabled={isCrossOs}
-                    >
-                      {meta.t("profiles.actions.syncSettings")}
-                    </DropdownMenuItem>
-                  )}
-                  <DropdownMenuItem
-                    onClick={() => {
-                      meta.onAssignProfilesToGroup?.([profile.id]);
-                    }}
-                    disabled={isDisabled}
-                  >
-                    {meta.t("profiles.actions.assignToGroup")}
-                  </DropdownMenuItem>
-                  {(profile.browser === "camoufox" ||
-                    profile.browser === "wayfern") &&
-                    meta.onConfigureCamoufox && (
-                      <DropdownMenuItem
-                        onClick={() => {
-                          meta.onConfigureCamoufox?.(profile);
-                        }}
-                        disabled={isDisabled}
-                      >
-                        {meta.t("profiles.actions.changeFingerprint")}
-                      </DropdownMenuItem>
-                    )}
-                  {(profile.browser === "camoufox" ||
-                    profile.browser === "wayfern") &&
-                    !profile.ephemeral &&
-                    meta.onCopyCookiesToProfile && (
-                      <DropdownMenuItem
-                        onClick={() => {
-                          if (meta.crossOsUnlocked) {
-                            meta.onCopyCookiesToProfile?.(profile);
-                          }
-                        }}
-                        disabled={isDisabled || !meta.crossOsUnlocked}
-                      >
-                        <span className="flex items-center gap-2">
-                          {meta.t("profiles.actions.copyCookiesToProfile")}
-                          {!meta.crossOsUnlocked && <ProBadge />}
-                        </span>
-                      </DropdownMenuItem>
-                    )}
-                  {(profile.browser === "camoufox" ||
-                    profile.browser === "wayfern") &&
-                    !profile.ephemeral &&
-                    meta.onOpenCookieManagement && (
-                      <DropdownMenuItem
-                        onClick={() => {
-                          if (meta.crossOsUnlocked) {
-                            meta.onOpenCookieManagement?.(profile);
-                          }
-                        }}
-                        disabled={isDisabled || !meta.crossOsUnlocked}
-                      >
-                        <span className="flex items-center gap-2">
-                          {meta.t("cookies.management.menuItem")}
-                          {!meta.crossOsUnlocked && <ProBadge />}
-                        </span>
-                      </DropdownMenuItem>
-                    )}
-                  {!profile.ephemeral && (
-                    <DropdownMenuItem
-                      onClick={() => {
-                        meta.onCloneProfile?.(profile);
-                      }}
-                      disabled={isDisabled}
-                    >
-                      {meta.t("profiles.actions.clone")}
-                    </DropdownMenuItem>
-                  )}
-                  <DropdownMenuItem
-                    onClick={() => {
-                      setProfileToDelete(profile);
-                    }}
-                    disabled={isDeleteDisabled}
-                  >
-                    {meta.t("profiles.actions.delete")}
-                  </DropdownMenuItem>
-                </DropdownMenuContent>
-              </DropdownMenu>
+              <Button
+                variant="ghost"
+                className="p-0 w-8 h-8"
+                disabled={!meta.isClient}
+                onClick={() => setProfileForInfoDialog(profile)}
+              >
+                <span className="sr-only">Profile info</span>
+                <LuInfo className="w-4 h-4" />
+              </Button>
            </div>
          );
        },
      },
    ],
-    [],
+    [t],
  );

  const table = useReactTable({
@@ -2456,7 +2399,14 @@ export function ProfilesDataTable({
              <TableRow key={headerGroup.id} className="overflow-visible">
                {headerGroup.headers.map((header) => {
                  return (
-                    <TableHead key={header.id}>
+                    <TableHead
+                      key={header.id}
+                      style={{
+                        width: header.column.columnDef.size
+                          ? `${header.column.getSize()}px`
+                          : undefined,
+                      }}
+                    >
                      {header.isPlaceholder
                        ? null
                        : flexRender(
@@ -2471,25 +2421,42 @@ export function ProfilesDataTable({
          </TableHeader>
          <TableBody className="overflow-visible">
            {table.getRowModel().rows?.length ? (
-              table.getRowModel().rows.map((row) => (
-                <TableRow
-                  key={row.id}
-                  data-state={row.getIsSelected() && "selected"}
-                  className={cn(
-                    "overflow-visible hover:bg-accent/50",
-                    isCrossOsProfile(row.original) && "opacity-60",
-                  )}
-                >
-                  {row.getVisibleCells().map((cell) => (
-                    <TableCell key={cell.id} className="overflow-visible">
-                      {flexRender(
-                        cell.column.columnDef.cell,
-                        cell.getContext(),
-                      )}
-                    </TableCell>
-                  ))}
-                </TableRow>
-              ))
+              table.getRowModel().rows.map((row) => {
+                const rowIsCrossOs = isCrossOsProfile(row.original);
+                const crossOsTitle = rowIsCrossOs
+                  ? t("crossOs.viewOnly", {
+                      os: getOSDisplayName(row.original.host_os ?? ""),
+                    })
+                  : undefined;
+                return (
+                  <TableRow
+                    key={row.id}
+                    data-state={row.getIsSelected() && "selected"}
+                    title={crossOsTitle}
+                    className={cn(
+                      "overflow-visible hover:bg-accent/50",
+                      rowIsCrossOs && "opacity-60",
+                    )}
+                  >
+                    {row.getVisibleCells().map((cell) => (
+                      <TableCell
+                        key={cell.id}
+                        className="overflow-visible"
+                        style={{
+                          width: cell.column.columnDef.size
+                            ? `${cell.column.getSize()}px`
+                            : undefined,
+                        }}
+                      >
+                        {flexRender(
+                          cell.column.columnDef.cell,
+                          cell.getContext(),
+                        )}
+                      </TableCell>
+                    ))}
+                  </TableRow>
+                );
+              })
            ) : (
              <TableRow>
                <TableCell
@@ -2512,6 +2479,45 @@ export function ProfilesDataTable({
        confirmButtonText="Delete Profile"
        isLoading={isDeleting}
      />
+      {profileForInfoDialog &&
+        (() => {
+          const infoProfile = profileForInfoDialog;
+          const infoIsRunning =
+            browserState.isClient && runningProfiles.has(infoProfile.id);
+          const infoIsLaunching = launchingProfiles.has(infoProfile.id);
+          const infoIsStopping = stoppingProfiles.has(infoProfile.id);
+          const infoIsCrossOs = isCrossOsProfile(infoProfile);
+          const infoIsDisabled =
+            infoIsRunning || infoIsLaunching || infoIsStopping || infoIsCrossOs;
+          return (
+            <ProfileInfoDialog
+              isOpen={profileForInfoDialog !== null}
+              onClose={() => setProfileForInfoDialog(null)}
+              profile={infoProfile}
+              storedProxies={storedProxies}
+              vpnConfigs={vpnConfigs}
+              onOpenTrafficDialog={(profileId) => {
+                const profile = profiles.find((p) => p.id === profileId);
+                setTrafficDialogProfile({ id: profileId, name: profile?.name });
+              }}
+              onOpenProfileSyncDialog={onOpenProfileSyncDialog}
+              onAssignProfilesToGroup={onAssignProfilesToGroup}
+              onConfigureCamoufox={onConfigureCamoufox}
+              onCopyCookiesToProfile={onCopyCookiesToProfile}
+              onOpenCookieManagement={onOpenCookieManagement}
+              onCloneProfile={onCloneProfile}
+              onDeleteProfile={(profile) => {
+                setProfileForInfoDialog(null);
+                setProfileToDelete(profile);
+              }}
+              crossOsUnlocked={crossOsUnlocked}
+              isRunning={infoIsRunning}
+              isDisabled={infoIsDisabled}
+              isCrossOs={infoIsCrossOs}
+              syncStatuses={syncStatuses}
+            />
+          );
+        })()}
      <DataTableActionBar table={table}>
        <DataTableActionBarSelection table={table} />
        {onBulkGroupAssignment && (
@@ -0,0 +1,629 @@
+"use client";
+
+import { invoke } from "@tauri-apps/api/core";
+import * as React from "react";
+import { useTranslation } from "react-i18next";
+import { FaApple, FaLinux, FaWindows } from "react-icons/fa";
+import {
+  LuChevronRight,
+  LuClipboard,
+  LuClipboardCheck,
+  LuCookie,
+  LuCopy,
+  LuFingerprint,
+  LuGlobe,
+  LuGroup,
+  LuPlus,
+  LuRefreshCw,
+  LuSettings,
+  LuShieldCheck,
+  LuTrash2,
+  LuX,
+} from "react-icons/lu";
+import { Badge } from "@/components/ui/badge";
+import { Button } from "@/components/ui/button";
+import {
+  Dialog,
+  DialogContent,
+  DialogFooter,
+  DialogHeader,
+  DialogTitle,
+} from "@/components/ui/dialog";
+import { Input } from "@/components/ui/input";
+import { ProBadge } from "@/components/ui/pro-badge";
+import { ScrollArea } from "@/components/ui/scroll-area";
+import { Tabs, TabsContent, TabsList, TabsTrigger } from "@/components/ui/tabs";
+import {
+  getBrowserDisplayName,
+  getOSDisplayName,
+  getProfileIcon,
+  isCrossOsProfile,
+} from "@/lib/browser-utils";
+import { formatRelativeTime } from "@/lib/flag-utils";
+import { cn } from "@/lib/utils";
+import type {
+  BrowserProfile,
+  ProfileGroup,
+  StoredProxy,
+  VpnConfig,
+} from "@/types";
+
+interface ProfileInfoDialogProps {
+  isOpen: boolean;
+  onClose: () => void;
+  profile: BrowserProfile | null;
+  storedProxies: StoredProxy[];
+  vpnConfigs: VpnConfig[];
+  onOpenTrafficDialog?: (profileId: string) => void;
+  onOpenProfileSyncDialog?: (profile: BrowserProfile) => void;
+  onAssignProfilesToGroup?: (profileIds: string[]) => void;
+  onConfigureCamoufox?: (profile: BrowserProfile) => void;
+  onCopyCookiesToProfile?: (profile: BrowserProfile) => void;
+  onOpenCookieManagement?: (profile: BrowserProfile) => void;
+  onCloneProfile?: (profile: BrowserProfile) => void;
+  onDeleteProfile?: (profile: BrowserProfile) => void;
+  crossOsUnlocked?: boolean;
+  isRunning?: boolean;
+  isDisabled?: boolean;
+  isCrossOs?: boolean;
+  syncStatuses: Record<string, { status: string; error?: string }>;
+}
+
+function OSIcon({ os }: { os: string }) {
+  switch (os) {
+    case "macos":
+      return <FaApple className="w-3.5 h-3.5" />;
+    case "windows":
+      return <FaWindows className="w-3.5 h-3.5" />;
+    case "linux":
+      return <FaLinux className="w-3.5 h-3.5" />;
+    default:
+      return null;
+  }
+}
+
+function InfoCard({ label, value }: { label: string; value: string }) {
+  return (
+    <div className="rounded-md bg-muted/50 border px-3 py-2.5">
+      <p className="text-xs text-muted-foreground">{label}</p>
+      <p className="text-sm mt-0.5 truncate">{value}</p>
+    </div>
+  );
+}
+
+export function ProfileInfoDialog({
+  isOpen,
+  onClose,
+  profile,
+  storedProxies,
+  vpnConfigs,
+  onOpenTrafficDialog,
+  onOpenProfileSyncDialog,
+  onAssignProfilesToGroup,
+  onConfigureCamoufox,
+  onCopyCookiesToProfile,
+  onOpenCookieManagement,
+  onCloneProfile,
+  onDeleteProfile,
+  crossOsUnlocked = false,
+  isRunning = false,
+  isDisabled = false,
+  isCrossOs = false,
+  syncStatuses,
+}: ProfileInfoDialogProps) {
+  const { t } = useTranslation();
+  const [copied, setCopied] = React.useState(false);
+  const [groupName, setGroupName] = React.useState<string | null>(null);
+  const [extensionGroupName, setExtensionGroupName] = React.useState<
+    string | null
+  >(null);
+  const [bypassRules, setBypassRules] = React.useState<string[]>([]);
+  const [newRule, setNewRule] = React.useState("");
+  const [bypassRulesDialogOpen, setBypassRulesDialogOpen] =
+    React.useState(false);
+
+  React.useEffect(() => {
+    if (!isOpen || !profile?.group_id) {
+      setGroupName(null);
+      return;
+    }
+    (async () => {
+      try {
+        const groups = await invoke<ProfileGroup[]>("get_groups");
+        const group = groups.find((g) => g.id === profile.group_id);
+        setGroupName(group?.name ?? null);
+      } catch {
+        setGroupName(null);
+      }
+    })();
+  }, [isOpen, profile?.group_id]);
+
+  React.useEffect(() => {
+    if (!isOpen || !profile?.extension_group_id) {
+      setExtensionGroupName(null);
+      return;
+    }
+    (async () => {
+      try {
+        const group = await invoke<{ name: string } | null>(
+          "get_extension_group_for_profile",
+          { profileId: profile.id },
+        );
+        setExtensionGroupName(group?.name ?? null);
+      } catch {
+        setExtensionGroupName(null);
+      }
+    })();
+  }, [isOpen, profile?.extension_group_id, profile?.id]);
+
+  React.useEffect(() => {
+    if (!isOpen) {
+      setCopied(false);
+      setNewRule("");
+    }
+    if (isOpen && profile) {
+      setBypassRules(profile.proxy_bypass_rules ?? []);
+    }
+  }, [isOpen, profile]);
+
+  if (!profile) return null;
+
+  const ProfileIcon = getProfileIcon(profile);
+  const isCamoufoxOrWayfern =
+    profile.browser === "camoufox" || profile.browser === "wayfern";
+  const isDeleteDisabled = isRunning;
+
+  const proxyName = profile.proxy_id
+    ? storedProxies.find((p) => p.id === profile.proxy_id)?.name
+    : null;
+  const vpnName = profile.vpn_id
+    ? vpnConfigs.find((v) => v.id === profile.vpn_id)?.name
+    : null;
+  const networkLabel = vpnName
+    ? `VPN: ${vpnName}`
+    : proxyName
+      ? `Proxy: ${proxyName}`
+      : t("profileInfo.values.none");
+
+  const syncStatus = syncStatuses[profile.id];
+  const syncMode = profile.sync_mode ?? "Disabled";
+  const syncLabel = syncStatus
+    ? `${syncMode} (${syncStatus.status})`
+    : syncMode;
+
+  const handleCopyId = async () => {
+    try {
+      await navigator.clipboard.writeText(profile.id);
+      setCopied(true);
+      setTimeout(() => setCopied(false), 2000);
+    } catch {
+      // ignore
+    }
+  };
+
+  const handleAction = (action: () => void) => {
+    onClose();
+    action();
+  };
+
+  const updateBypassRules = async (rules: string[]) => {
+    if (!profile) return;
+    try {
+      await invoke("update_profile_proxy_bypass_rules", {
+        profileId: profile.id,
+        rules,
+      });
+      setBypassRules(rules);
+    } catch {
+      // ignore
+    }
+  };
+
+  const handleAddRule = () => {
+    const trimmed = newRule.trim();
+    if (!trimmed || bypassRules.includes(trimmed)) return;
+    const updated = [...bypassRules, trimmed];
+    setNewRule("");
+    void updateBypassRules(updated);
+  };
+
+  const handleRemoveRule = (rule: string) => {
+    void updateBypassRules(bypassRules.filter((r) => r !== rule));
+  };
+
+  const releaseLabel =
+    profile.release_type.charAt(0).toUpperCase() +
+    profile.release_type.slice(1);
+  const hasTags = profile.tags && profile.tags.length > 0;
+  const hasNote = !!profile.note;
+  const showCrossOs = !!(profile.host_os && isCrossOsProfile(profile));
+
+  type ActionItem = {
+    icon: React.ReactNode;
+    label: string;
+    onClick: () => void;
+    disabled?: boolean;
+    destructive?: boolean;
+    proBadge?: boolean;
+    hidden?: boolean;
+  };
+
+  const actions: ActionItem[] = [
+    {
+      icon: <LuGlobe className="w-4 h-4" />,
+      label: t("profiles.actions.viewNetwork"),
+      onClick: () => handleAction(() => onOpenTrafficDialog?.(profile.id)),
+      disabled: isCrossOs,
+    },
+    {
+      icon: <LuRefreshCw className="w-4 h-4" />,
+      label: t("profiles.actions.syncSettings"),
+      onClick: () => handleAction(() => onOpenProfileSyncDialog?.(profile)),
+      disabled: isCrossOs,
+      hidden: profile.ephemeral === true,
+    },
+    {
+      icon: <LuGroup className="w-4 h-4" />,
+      label: t("profiles.actions.assignToGroup"),
+      onClick: () =>
+        handleAction(() => onAssignProfilesToGroup?.([profile.id])),
+      disabled: isDisabled,
+    },
+    {
+      icon: <LuFingerprint className="w-4 h-4" />,
+      label: t("profiles.actions.changeFingerprint"),
+      onClick: () => handleAction(() => onConfigureCamoufox?.(profile)),
+      disabled: isDisabled,
+      hidden: !isCamoufoxOrWayfern || !onConfigureCamoufox,
+    },
+    {
+      icon: <LuCopy className="w-4 h-4" />,
+      label: t("profiles.actions.copyCookiesToProfile"),
+      onClick: () => handleAction(() => onCopyCookiesToProfile?.(profile)),
+      disabled: isDisabled || !crossOsUnlocked,
+      proBadge: !crossOsUnlocked,
+      hidden:
+        !isCamoufoxOrWayfern ||
+        profile.ephemeral === true ||
+        !onCopyCookiesToProfile,
+    },
+    {
+      icon: <LuCookie className="w-4 h-4" />,
+      label: t("profileInfo.actions.manageCookies"),
+      onClick: () => handleAction(() => onOpenCookieManagement?.(profile)),
+      disabled: isDisabled || !crossOsUnlocked,
+      proBadge: !crossOsUnlocked,
+      hidden:
+        !isCamoufoxOrWayfern ||
+        profile.ephemeral === true ||
+        !onOpenCookieManagement,
+    },
+    {
+      icon: <LuSettings className="w-4 h-4" />,
+      label: t("profiles.actions.clone"),
+      onClick: () => handleAction(() => onCloneProfile?.(profile)),
+      disabled: isDisabled,
+      hidden: profile.ephemeral === true,
+    },
+    {
+      icon: <LuShieldCheck className="w-4 h-4" />,
+      label: t("profileInfo.network.bypassRulesTitle"),
+      onClick: () => setBypassRulesDialogOpen(true),
+    },
+    {
+      icon: <LuTrash2 className="w-4 h-4" />,
+      label: t("profiles.actions.delete"),
+      onClick: () => handleAction(() => onDeleteProfile?.(profile)),
+      disabled: isDeleteDisabled,
+      destructive: true,
+    },
+  ];
+
+  const visibleActions = actions.filter((a) => !a.hidden);
+
+  return (
+    <>
+      <Dialog open={isOpen} onOpenChange={(open) => !open && onClose()}>
+        <DialogContent className="sm:max-w-2xl max-h-[80vh] flex flex-col overflow-hidden">
+          <DialogHeader className="shrink-0">
+            <DialogTitle>{t("profileInfo.title")}</DialogTitle>
+          </DialogHeader>
+          <Tabs defaultValue="info" className="flex-1 min-h-0 flex flex-col">
+            <TabsList className="w-full shrink-0">
+              <TabsTrigger value="info" className="flex-1">
+                {t("profileInfo.tabs.info")}
+              </TabsTrigger>
+              <TabsTrigger value="settings" className="flex-1">
+                {t("profileInfo.tabs.settings")}
+              </TabsTrigger>
+            </TabsList>
+            <TabsContent value="info" className="flex-1 min-h-0 flex flex-col">
+              <ScrollArea className="flex-1 min-h-0">
+                <div className="flex flex-col gap-4 py-3 pr-3">
+                  {/* Hero */}
+                  <div className="flex items-center gap-3">
+                    <div className="rounded-lg bg-muted p-2.5 shrink-0">
+                      <ProfileIcon className="w-8 h-8 text-foreground" />
+                    </div>
+                    <div className="min-w-0 flex-1">
+                      <h3 className="text-base font-semibold truncate">
+                        {profile.name}
+                      </h3>
+                      <div className="flex flex-wrap items-center gap-1.5 mt-1">
+                        <Badge variant="secondary" className="text-xs">
+                          {getBrowserDisplayName(profile.browser)}{" "}
+                          {profile.version}
+                        </Badge>
+                        <Badge variant="outline" className="text-xs">
+                          {releaseLabel}
+                        </Badge>
+                        {isRunning && (
+                          <Badge className="text-xs bg-primary/15 text-primary border-primary/25">
+                            {t("common.status.running")}
+                          </Badge>
+                        )}
+                        {profile.ephemeral && (
+                          <Badge variant="outline" className="text-xs">
+                            {t("profiles.ephemeralBadge")}
+                          </Badge>
+                        )}
+                        {showCrossOs && profile.host_os && (
+                          <Badge variant="outline" className="text-xs gap-1">
+                            <OSIcon os={profile.host_os} />
+                            {getOSDisplayName(profile.host_os)}
+                          </Badge>
+                        )}
+                      </div>
+                    </div>
+                  </div>
+
+                  {/* Profile ID */}
+                  <div className="flex items-center gap-2 rounded-md bg-muted/50 border px-3 py-2">
+                    <span className="text-xs text-muted-foreground shrink-0">
+                      ID
+                    </span>
+                    <span className="font-mono text-xs truncate flex-1">
+                      {profile.id}
+                    </span>
+                    <button
+                      type="button"
+                      onClick={() => void handleCopyId()}
+                      className="text-muted-foreground hover:text-foreground transition-colors shrink-0"
+                    >
+                      {copied ? (
+                        <LuClipboardCheck className="w-3.5 h-3.5" />
+                      ) : (
+                        <LuClipboard className="w-3.5 h-3.5" />
+                      )}
+                    </button>
+                  </div>
+
+                  {/* Network & Organization */}
+                  <div className="grid grid-cols-2 gap-2">
+                    <InfoCard
+                      label={t("profileInfo.fields.proxyVpn")}
+                      value={networkLabel}
+                    />
+                    <InfoCard
+                      label={t("profileInfo.fields.group")}
+                      value={groupName ?? t("profileInfo.values.none")}
+                    />
+                    <InfoCard
+                      label={t("profileInfo.fields.extensionGroup")}
+                      value={extensionGroupName ?? t("profileInfo.values.none")}
+                    />
+                    <InfoCard
+                      label={t("profileInfo.fields.lastLaunched")}
+                      value={
+                        profile.last_launch
+                          ? formatRelativeTime(profile.last_launch)
+                          : t("profileInfo.values.never")
+                      }
+                    />
+                  </div>
+
+                  {/* Sync */}
+                  <div className="rounded-md bg-muted/50 border px-3 py-2.5 flex items-center justify-between">
+                    <div>
+                      <p className="text-xs text-muted-foreground">
+                        {t("profileInfo.fields.syncStatus")}
+                      </p>
+                      <p className="text-sm mt-0.5">{syncLabel}</p>
+                    </div>
+                    <Badge
+                      variant={
+                        syncMode === "Disabled" ? "outline" : "secondary"
+                      }
+                      className="text-xs shrink-0"
+                    >
+                      {syncMode === "Disabled"
+                        ? t("sync.mode.disabled")
+                        : syncStatus?.status === "syncing"
+                          ? t("common.status.syncing")
+                          : t("common.status.synced")}
+                    </Badge>
+                  </div>
+
+                  {/* Tags */}
+                  {hasTags && (
+                    <div className="flex flex-col gap-1.5">
+                      <span className="text-xs text-muted-foreground">
+                        {t("profileInfo.fields.tags")}
+                      </span>
+                      <div className="flex flex-wrap gap-1.5">
+                        {profile.tags?.map((tag) => (
+                          <Badge
+                            key={tag}
+                            variant="secondary"
+                            className="text-xs"
+                          >
+                            {tag}
+                          </Badge>
+                        ))}
+                      </div>
+                    </div>
+                  )}
+
+                  {/* Note */}
+                  {hasNote && (
+                    <div className="flex flex-col gap-1.5">
+                      <span className="text-xs text-muted-foreground">
+                        {t("profileInfo.fields.note")}
+                      </span>
+                      <p className="text-sm rounded-md bg-muted/50 border px-3 py-2 whitespace-pre-wrap break-words">
+                        {profile.note}
+                      </p>
+                    </div>
+                  )}
+
+                  {/* Team */}
+                  {profile.created_by_email && (
+                    <div className="rounded-md bg-muted/50 border px-3 py-2.5">
+                      <p className="text-xs text-muted-foreground">
+                        {t("sync.team.title")}
+                      </p>
+                      <p className="text-sm mt-0.5">
+                        {t("sync.team.createdBy", {
+                          email: profile.created_by_email,
+                        })}
+                      </p>
+                    </div>
+                  )}
+                </div>
+              </ScrollArea>
+            </TabsContent>
+            <TabsContent
+              value="settings"
+              className="flex-1 min-h-0 flex flex-col"
+            >
+              <ScrollArea className="flex-1 min-h-0">
+                <div className="flex flex-col py-1">
+                  {visibleActions.map((action) => (
+                    <button
+                      key={action.label}
+                      type="button"
+                      disabled={action.disabled}
+                      onClick={action.onClick}
+                      className={cn(
+                        "flex items-center gap-3 px-3 py-2.5 rounded-md text-sm transition-colors text-left w-full",
+                        "hover:bg-accent disabled:opacity-50 disabled:pointer-events-none",
+                        action.destructive &&
+                          "text-destructive hover:bg-destructive/10",
+                      )}
+                    >
+                      {action.icon}
+                      <span className="flex-1 flex items-center gap-2">
+                        {action.label}
+                        {action.proBadge && <ProBadge />}
+                      </span>
+                      <LuChevronRight className="w-4 h-4 text-muted-foreground" />
+                    </button>
+                  ))}
+                </div>
+              </ScrollArea>
+            </TabsContent>
+          </Tabs>
+          <DialogFooter className="shrink-0">
+            <Button variant="outline" onClick={onClose}>
+              {t("common.buttons.close")}
+            </Button>
+          </DialogFooter>
+        </DialogContent>
+      </Dialog>
+      <ProfileBypassRulesDialog
+        isOpen={bypassRulesDialogOpen}
+        onClose={() => setBypassRulesDialogOpen(false)}
+        bypassRules={bypassRules}
+        newRule={newRule}
+        onNewRuleChange={setNewRule}
+        onAddRule={handleAddRule}
+        onRemoveRule={handleRemoveRule}
+      />
+    </>
+  );
+}
+
+interface ProfileBypassRulesDialogProps {
+  isOpen: boolean;
+  onClose: () => void;
+  bypassRules: string[];
+  newRule: string;
+  onNewRuleChange: (value: string) => void;
+  onAddRule: () => void;
+  onRemoveRule: (rule: string) => void;
+}
+
+function ProfileBypassRulesDialog({
+  isOpen,
+  onClose,
+  bypassRules,
+  newRule,
+  onNewRuleChange,
+  onAddRule,
+  onRemoveRule,
+}: ProfileBypassRulesDialogProps) {
+  const { t } = useTranslation();
+
+  return (
+    <Dialog open={isOpen} onOpenChange={(open) => !open && onClose()}>
+      <DialogContent className="sm:max-w-lg max-h-[80vh] flex flex-col">
+        <DialogHeader className="shrink-0">
+          <DialogTitle>{t("profileInfo.network.bypassRulesTitle")}</DialogTitle>
+        </DialogHeader>
+        <ScrollArea className="flex-1 min-h-0">
+          <div className="flex flex-col gap-3 py-2">
+            <p className="text-sm text-muted-foreground">
+              {t("profileInfo.network.bypassRulesDescription")}
+            </p>
+            <div className="flex gap-2">
+              <Input
+                value={newRule}
+                onChange={(e) => onNewRuleChange(e.target.value)}
+                onKeyDown={(e) => {
+                  if (e.key === "Enter") onAddRule();
+                }}
+                placeholder={t("profileInfo.network.rulePlaceholder")}
+                className="flex-1 text-sm"
+              />
+              <Button size="sm" onClick={onAddRule} disabled={!newRule.trim()}>
+                <LuPlus className="w-4 h-4 mr-1" />
+                {t("profileInfo.network.addRule")}
+              </Button>
+            </div>
+            {bypassRules.length === 0 ? (
+              <p className="text-sm text-muted-foreground py-2">
+                {t("profileInfo.network.noRules")}
+              </p>
+            ) : (
+              <div className="flex flex-col gap-1.5">
+                {bypassRules.map((rule) => (
+                  <div
+                    key={rule}
+                    className="flex items-center justify-between gap-2 px-3 py-1.5 rounded-md bg-muted text-sm"
+                  >
+                    <span className="font-mono text-xs truncate">{rule}</span>
+                    <button
+                      type="button"
+                      onClick={() => onRemoveRule(rule)}
+                      className="text-muted-foreground hover:text-destructive transition-colors shrink-0"
+                    >
+                      <LuX className="w-3.5 h-3.5" />
+                    </button>
+                  </div>
+                ))}
+              </div>
+            )}
+            <p className="text-xs text-muted-foreground">
+              {t("profileInfo.network.ruleTypes")}
+            </p>
+          </div>
+        </ScrollArea>
+        <DialogFooter className="shrink-0">
+          <Button variant="outline" onClick={onClose}>
+            {t("common.buttons.close")}
+          </Button>
+        </DialogFooter>
+      </DialogContent>
+    </Dialog>
+  );
+}
@@ -16,6 +16,7 @@ import {
 } from "@/components/ui/dialog";
 import { Label } from "@/components/ui/label";
 import { RadioGroup, RadioGroupItem } from "@/components/ui/radio-group";
+import { useCloudAuth } from "@/hooks/use-cloud-auth";
 import { showErrorToast, showSuccessToast } from "@/lib/toast-utils";
 import type { BrowserProfile, SyncMode, SyncSettings } from "@/types";
 import { isSyncEnabled } from "@/types";
@@ -34,24 +35,38 @@ export function ProfileSyncDialog({
  onSyncConfigOpen,
 }: ProfileSyncDialogProps) {
  const { t } = useTranslation();
+  const { user: cloudUser } = useCloudAuth();
+  const isCloudSyncEligible =
+    cloudUser != null &&
+    cloudUser.plan !== "free" &&
+    (cloudUser.subscriptionStatus === "active" ||
+      cloudUser.planPeriod === "lifetime");
+  const canUseEncryption =
+    isCloudSyncEligible &&
+    cloudUser != null &&
+    (cloudUser.plan !== "team" || cloudUser.teamRole === "owner");
  const [isSaving, setIsSaving] = useState(false);
  const [isSyncing, setIsSyncing] = useState(false);
  const [syncMode, setSyncMode] = useState<SyncMode>(
    profile?.sync_mode ?? "Disabled",
  );
-  const [hasConfig, setHasConfig] = useState(false);
+  const [hasSelfHostedConfig, setHasSelfHostedConfig] = useState(false);
  const [hasE2ePassword, setHasE2ePassword] = useState(false);
  const [isCheckingConfig, setIsCheckingConfig] = useState(false);

+  const hasConfig = isCloudSyncEligible || hasSelfHostedConfig;
+
  const checkSyncConfig = useCallback(async () => {
    setIsCheckingConfig(true);
    try {
      const settings = await invoke<SyncSettings>("get_sync_settings");
-      setHasConfig(Boolean(settings.sync_server_url && settings.sync_token));
+      setHasSelfHostedConfig(
+        Boolean(settings.sync_server_url && settings.sync_token),
+      );
      const hasPassword = await invoke<boolean>("check_has_e2e_password");
      setHasE2ePassword(hasPassword);
    } catch {
-      setHasConfig(false);
+      setHasSelfHostedConfig(false);
    } finally {
      setIsCheckingConfig(false);
    }
@@ -81,6 +96,11 @@ export function ProfileSyncDialog({
        return;
      }

+      if (newMode === "Encrypted" && !canUseEncryption) {
+        showErrorToast(t("settings.encryption.requiresProOrOwner"));
+        return;
+      }
+
      if (newMode === "Encrypted" && !hasE2ePassword) {
        showErrorToast(t("sync.mode.passwordRequired"));
        return;
@@ -105,7 +125,15 @@ export function ProfileSyncDialog({
        setIsSaving(false);
      }
    },
-    [profile, hasConfig, hasE2ePassword, onSyncConfigOpen, onClose, t],
+    [
+      profile,
+      hasConfig,
+      hasE2ePassword,
+      canUseEncryption,
+      onSyncConfigOpen,
+      onClose,
+      t,
+    ],
  );

  const handleSyncNow = useCallback(async () => {
@@ -214,16 +242,32 @@ export function ProfileSyncDialog({
                  </div>

                  <div className="flex items-start space-x-3">
-                    <RadioGroupItem value="Encrypted" id="sync-encrypted" />
-                    <Label htmlFor="sync-encrypted" className="cursor-pointer">
+                    <RadioGroupItem
+                      value="Encrypted"
+                      id="sync-encrypted"
+                      disabled={!canUseEncryption}
+                    />
+                    <Label
+                      htmlFor="sync-encrypted"
+                      className={
+                        canUseEncryption
+                          ? "cursor-pointer"
+                          : "cursor-not-allowed opacity-50"
+                      }
+                    >
                      <span className="font-medium">
                        {t("sync.mode.encrypted", "E2E Encrypted Sync")}
                      </span>
                      <p className="text-sm text-muted-foreground">
-                        {t(
-                          "sync.mode.encryptedDescription",
-                          "Encrypted before upload. Server never sees plaintext data.",
-                        )}
+                        {canUseEncryption
+                          ? t(
+                              "sync.mode.encryptedDescription",
+                              "Encrypted before upload. Server never sees plaintext data.",
+                            )
+                          : t(
+                              "settings.encryption.requiresProOrOwner",
+                              "Profile encryption is available for Pro users and team owners.",
+                            )}
                      </p>
                    </Label>
                  </div>
@@ -39,6 +39,7 @@ import {
  SelectTrigger,
  SelectValue,
 } from "@/components/ui/select";
+import { useCloudAuth } from "@/hooks/use-cloud-auth";
 import { useCommercialTrial } from "@/hooks/use-commercial-trial";
 import { useLanguage } from "@/hooks/use-language";
 import type { PermissionType } from "@/hooks/use-permissions";
@@ -129,6 +130,13 @@ export function SettingsDialog({
    isCameraAccessGranted,
  } = usePermissions();
  const { trialStatus } = useCommercialTrial();
+  const { user: cloudUser } = useCloudAuth();
+  const canUseEncryption =
+    cloudUser != null &&
+    cloudUser.plan !== "free" &&
+    (cloudUser.subscriptionStatus === "active" ||
+      cloudUser.planPeriod === "lifetime") &&
+    (cloudUser.plan !== "team" || cloudUser.teamRole === "owner");
  const {
    currentLanguage,
    changeLanguage,
@@ -853,7 +861,14 @@ export function SettingsDialog({
              )}
            </p>

-            {hasE2ePassword ? (
+            {!canUseEncryption ? (
+              <p className="text-sm text-muted-foreground">
+                {t(
+                  "settings.encryption.requiresProOrOwner",
+                  "Profile encryption is available for Pro users and team owners.",
+                )}
+              </p>
+            ) : hasE2ePassword ? (
              <div className="space-y-3">
                <div className="flex items-center gap-2">
                  <Badge variant="default">
@@ -1046,18 +1046,19 @@ export function SharedCamoufoxConfigForm({
        </fieldset>
        {limitedMode && (
          <>
-            <div className="absolute inset-0 backdrop-blur-[6px] bg-background/30" />
-            <div className="absolute inset-0 flex items-center justify-center z-[2]">
-              <div className="flex items-center gap-2">
+            <div className="absolute inset-0 backdrop-blur-[6px] bg-background/30 z-[1]" />
+            <div className="absolute inset-y-0 left-0 w-6 bg-gradient-to-r from-background to-transparent z-[2]" />
+            <div className="absolute inset-y-0 right-0 w-6 bg-gradient-to-l from-background to-transparent z-[2]" />
+            <div className="absolute inset-x-0 top-0 h-6 bg-gradient-to-b from-background to-transparent z-[2]" />
+            <div className="absolute inset-x-0 bottom-0 h-6 bg-gradient-to-t from-background to-transparent z-[2]" />
+            <div className="absolute inset-0 flex items-center justify-center z-[3]">
+              <div className="flex items-center gap-2 rounded-md bg-background/80 px-3 py-1.5">
                <ProBadge />
                <span className="text-sm font-medium text-muted-foreground">
                  {t("fingerprint.proFeature")}
                </span>
              </div>
            </div>
-            <div className="absolute inset-y-0 left-0 w-6 bg-gradient-to-r from-background to-transparent z-[1]" />
-            <div className="absolute inset-y-0 right-0 w-6 bg-gradient-to-l from-background to-transparent z-[1]" />
-            <div className="absolute inset-x-0 bottom-0 h-6 bg-gradient-to-t from-background to-transparent z-[1]" />
          </>
        )}
      </div>
@@ -1253,18 +1254,19 @@ export function SharedCamoufoxConfigForm({
              </fieldset>
              {limitedMode && (
                <>
-                  <div className="absolute inset-0 backdrop-blur-[6px] bg-background/30" />
-                  <div className="absolute inset-0 flex items-center justify-center z-[2]">
-                    <div className="flex items-center gap-2">
+                  <div className="absolute inset-0 backdrop-blur-[6px] bg-background/30 z-[1]" />
+                  <div className="absolute inset-y-0 left-0 w-6 bg-gradient-to-r from-background to-transparent z-[2]" />
+                  <div className="absolute inset-y-0 right-0 w-6 bg-gradient-to-l from-background to-transparent z-[2]" />
+                  <div className="absolute inset-x-0 top-0 h-6 bg-gradient-to-b from-background to-transparent z-[2]" />
+                  <div className="absolute inset-x-0 bottom-0 h-6 bg-gradient-to-t from-background to-transparent z-[2]" />
+                  <div className="absolute inset-0 flex items-center justify-center z-[3]">
+                    <div className="flex items-center gap-2 rounded-md bg-background/80 px-3 py-1.5">
                      <ProBadge />
                      <span className="text-sm font-medium text-muted-foreground">
                        {t("fingerprint.proFeature")}
                      </span>
                    </div>
                  </div>
-                  <div className="absolute inset-y-0 left-0 w-6 bg-gradient-to-r from-background to-transparent z-[1]" />
-                  <div className="absolute inset-y-0 right-0 w-6 bg-gradient-to-l from-background to-transparent z-[1]" />
-                  <div className="absolute inset-x-0 bottom-0 h-6 bg-gradient-to-t from-background to-transparent z-[1]" />
                </>
              )}
            </div>
@@ -292,11 +292,48 @@ export function SyncConfigDialog({ isOpen, onClose }: SyncConfigDialogProps) {
                <div className="flex justify-between">
                  <span className="text-muted-foreground">Proxy Bandwidth</span>
                  <span>
-                    {user.proxyBandwidthUsedMb} / {user.proxyBandwidthLimitMb}{" "}
+                    {user.proxyBandwidthUsedMb} /{" "}
+                    {user.proxyBandwidthLimitMb +
+                      (user.proxyBandwidthExtraMb || 0)}{" "}
                    MB
                  </span>
                </div>
              )}
+              {(user.proxyBandwidthExtraMb || 0) > 0 && (
+                <div className="flex justify-between">
+                  <span className="text-muted-foreground">Extra Bandwidth</span>
+                  <span>
+                    {user.proxyBandwidthExtraMb >= 1000
+                      ? `${(user.proxyBandwidthExtraMb / 1000).toFixed(1)} GB`
+                      : `${user.proxyBandwidthExtraMb} MB`}
+                  </span>
+                </div>
+              )}
+              {user.teamName && (
+                <>
+                  <div className="flex justify-between">
+                    <span className="text-muted-foreground">
+                      {t("sync.team.name")}
+                    </span>
+                    <span>{user.teamName}</span>
+                  </div>
+                  <div className="flex justify-between">
+                    <span className="text-muted-foreground">
+                      {t("sync.team.role")}
+                    </span>
+                    <span className="capitalize">
+                      {user.teamRole === "owner"
+                        ? t("sync.team.roleOwner")
+                        : user.teamRole === "admin"
+                          ? t("sync.team.roleAdmin")
+                          : t("sync.team.roleMember")}
+                    </span>
+                  </div>
+                  <p className="text-xs text-muted-foreground pt-1">
+                    {t("sync.team.manageOnWeb")}
+                  </p>
+                </>
+              )}
            </div>

            <div className="flex gap-2 pt-2">
@@ -998,18 +998,19 @@ export function WayfernConfigForm({
        </fieldset>
        {limitedMode && (
          <>
-            <div className="absolute inset-0 backdrop-blur-[6px] bg-background/30" />
-            <div className="absolute inset-0 flex items-center justify-center z-[2]">
-              <div className="flex items-center gap-2">
+            <div className="absolute inset-0 backdrop-blur-[6px] bg-background/30 z-[1]" />
+            <div className="absolute inset-y-0 left-0 w-6 bg-gradient-to-r from-background to-transparent z-[2]" />
+            <div className="absolute inset-y-0 right-0 w-6 bg-gradient-to-l from-background to-transparent z-[2]" />
+            <div className="absolute inset-x-0 top-0 h-6 bg-gradient-to-b from-background to-transparent z-[2]" />
+            <div className="absolute inset-x-0 bottom-0 h-6 bg-gradient-to-t from-background to-transparent z-[2]" />
+            <div className="absolute inset-0 flex items-center justify-center z-[3]">
+              <div className="flex items-center gap-2 rounded-md bg-background/80 px-3 py-1.5">
                <ProBadge />
                <span className="text-sm font-medium text-muted-foreground">
                  {t("fingerprint.proFeature")}
                </span>
              </div>
            </div>
-            <div className="absolute inset-y-0 left-0 w-6 bg-gradient-to-r from-background to-transparent z-[1]" />
-            <div className="absolute inset-y-0 right-0 w-6 bg-gradient-to-l from-background to-transparent z-[1]" />
-            <div className="absolute inset-x-0 bottom-0 h-6 bg-gradient-to-t from-background to-transparent z-[1]" />
          </>
        )}
      </div>
@@ -1212,18 +1213,19 @@ export function WayfernConfigForm({
              </fieldset>
              {limitedMode && (
                <>
-                  <div className="absolute inset-0 backdrop-blur-[6px] bg-background/30" />
-                  <div className="absolute inset-0 flex items-center justify-center z-[2]">
-                    <div className="flex items-center gap-2">
+                  <div className="absolute inset-0 backdrop-blur-[6px] bg-background/30 z-[1]" />
+                  <div className="absolute inset-y-0 left-0 w-6 bg-gradient-to-r from-background to-transparent z-[2]" />
+                  <div className="absolute inset-y-0 right-0 w-6 bg-gradient-to-l from-background to-transparent z-[2]" />
+                  <div className="absolute inset-x-0 top-0 h-6 bg-gradient-to-b from-background to-transparent z-[2]" />
+                  <div className="absolute inset-x-0 bottom-0 h-6 bg-gradient-to-t from-background to-transparent z-[2]" />
+                  <div className="absolute inset-0 flex items-center justify-center z-[3]">
+                    <div className="flex items-center gap-2 rounded-md bg-background/80 px-3 py-1.5">
                      <ProBadge />
                      <span className="text-sm font-medium text-muted-foreground">
                        {t("fingerprint.proFeature")}
                      </span>
                    </div>
                  </div>
-                  <div className="absolute inset-y-0 left-0 w-6 bg-gradient-to-r from-background to-transparent z-[1]" />
-                  <div className="absolute inset-y-0 right-0 w-6 bg-gradient-to-l from-background to-transparent z-[1]" />
-                  <div className="absolute inset-x-0 bottom-0 h-6 bg-gradient-to-t from-background to-transparent z-[1]" />
                </>
              )}
            </div>
@@ -1,7 +1,7 @@
 "use client";

 import { invoke } from "@tauri-apps/api/core";
-import { useState } from "react";
+import { useEffect, useState } from "react";
 import { useTranslation } from "react-i18next";
 import { Button } from "@/components/ui/button";
 import { Checkbox } from "@/components/ui/checkbox";
@@ -17,15 +17,23 @@ import { Label } from "@/components/ui/label";
 interface WindowResizeWarningDialogProps {
  isOpen: boolean;
  onResult: (proceed: boolean) => void;
+  browserType?: string;
 }

 export function WindowResizeWarningDialog({
  isOpen,
  onResult,
+  browserType,
 }: WindowResizeWarningDialogProps) {
  const { t } = useTranslation();
  const [dontShowAgain, setDontShowAgain] = useState(false);

+  useEffect(() => {
+    if (isOpen) {
+      setDontShowAgain(false);
+    }
+  }, [isOpen]);
+
  const handleContinue = async () => {
    if (dontShowAgain) {
      try {
@@ -41,6 +49,16 @@ export function WindowResizeWarningDialog({
    onResult(false);
  };

+  const isCamoufox = browserType === "camoufox";
+
+  const title = isCamoufox
+    ? t("warnings.windowResizeCamoufoxTitle")
+    : t("warnings.windowResizeTitle");
+
+  const description = isCamoufox
+    ? t("warnings.windowResizeCamoufoxDescription")
+    : t("warnings.windowResizeDescription");
+
  return (
    <Dialog open={isOpen}>
      <DialogContent
@@ -50,12 +68,10 @@ export function WindowResizeWarningDialog({
        onInteractOutside={(e) => e.preventDefault()}
      >
        <DialogHeader>
-          <DialogTitle>{t("warnings.windowResizeTitle")}</DialogTitle>
+          <DialogTitle>{title}</DialogTitle>
        </DialogHeader>

-        <p className="text-sm text-muted-foreground">
-          {t("warnings.windowResizeDescription")}
-        </p>
+        <p className="text-sm text-muted-foreground">{description}</p>

        <div className="flex items-center space-x-2">
          <Checkbox
@@ -49,7 +49,9 @@ export function useBrowserDownload() {
  const [availableVersions, setAvailableVersions] = useState<GithubRelease[]>(
    [],
  );
-  const [downloadedVersions, setDownloadedVersions] = useState<string[]>([]);
+  const [downloadedVersionsMap, setDownloadedVersionsMap] = useState<
+    Record<string, string[]>
+  >({});
  const [downloadingBrowsers, setDownloadingBrowsers] = useState<Set<string>>(
    new Set(),
  );
@@ -166,12 +168,12 @@ export function useBrowserDownload() {

  const loadDownloadedVersions = useCallback(async (browserStr: string) => {
    try {
-      const downloadedVersions = await invoke<string[]>(
+      const versions = await invoke<string[]>(
        "get_downloaded_browser_versions",
        { browserStr },
      );
-      setDownloadedVersions(downloadedVersions);
-      return downloadedVersions;
+      setDownloadedVersionsMap((prev) => ({ ...prev, [browserStr]: versions }));
+      return versions;
    } catch (error) {
      console.error("Failed to load downloaded versions:", error);
      throw error;
@@ -243,9 +245,11 @@ export function useBrowserDownload() {

  const isVersionDownloaded = useCallback(
    (version: string) => {
-      return downloadedVersions.includes(version);
+      return Object.values(downloadedVersionsMap).some((versions) =>
+        versions.includes(version),
+      );
    },
-    [downloadedVersions],
+    [downloadedVersionsMap],
  );

  // Check if a browser type is currently downloading
@@ -434,7 +438,7 @@ export function useBrowserDownload() {

  return {
    availableVersions,
-    downloadedVersions,
+    downloadedVersionsMap,
    isDownloading,
    isBrowserDownloading,
    downloadingBrowsers,
@@ -0,0 +1,73 @@
+import { invoke } from "@tauri-apps/api/core";
+import { listen } from "@tauri-apps/api/event";
+import { useCallback, useEffect, useState } from "react";
+import type { Extension, ExtensionGroup } from "@/types";
+
+export function useExtensionEvents() {
+  const [extensions, setExtensions] = useState<Extension[]>([]);
+  const [extensionGroups, setExtensionGroups] = useState<ExtensionGroup[]>([]);
+  const [isLoading, setIsLoading] = useState(true);
+  const [error, setError] = useState<string | null>(null);
+
+  const loadExtensions = useCallback(async () => {
+    try {
+      const exts = await invoke<Extension[]>("list_extensions");
+      setExtensions(exts);
+      setError(null);
+    } catch (err: unknown) {
+      console.error("Failed to load extensions:", err);
+      setExtensions([]);
+    }
+  }, []);
+
+  const loadExtensionGroups = useCallback(async () => {
+    try {
+      const groups = await invoke<ExtensionGroup[]>("list_extension_groups");
+      setExtensionGroups(groups);
+      setError(null);
+    } catch (err: unknown) {
+      console.error("Failed to load extension groups:", err);
+      setExtensionGroups([]);
+    }
+  }, []);
+
+  const loadAll = useCallback(async () => {
+    await Promise.all([loadExtensions(), loadExtensionGroups()]);
+  }, [loadExtensions, loadExtensionGroups]);
+
+  useEffect(() => {
+    let unlisten: (() => void) | undefined;
+
+    const setup = async () => {
+      try {
+        await loadAll();
+        unlisten = await listen("extensions-changed", () => {
+          void loadAll();
+        });
+      } catch (err) {
+        console.error("Failed to setup extension event listeners:", err);
+        setError(
+          `Failed to setup extension event listeners: ${JSON.stringify(err)}`,
+        );
+      } finally {
+        setIsLoading(false);
+      }
+    };
+
+    void setup();
+
+    return () => {
+      if (unlisten) unlisten();
+    };
+  }, [loadAll]);
+
+  return {
+    extensions,
+    extensionGroups,
+    isLoading,
+    error,
+    loadExtensions,
+    loadExtensionGroups,
+    loadAll,
+  };
+}
@@ -0,0 +1,54 @@
+import { invoke } from "@tauri-apps/api/core";
+import { listen } from "@tauri-apps/api/event";
+import { useCallback, useEffect, useState } from "react";
+import type { ProfileLockInfo } from "@/types";
+
+export function useTeamLocks(currentUserId?: string) {
+  const [locks, setLocks] = useState<ProfileLockInfo[]>([]);
+
+  const fetchLocks = useCallback(async () => {
+    try {
+      const result = await invoke<ProfileLockInfo[]>("get_team_locks");
+      setLocks(result);
+    } catch {
+      // Not connected to a team or not logged in
+    }
+  }, []);
+
+  useEffect(() => {
+    fetchLocks();
+
+    const unlistenAcquired = listen<{ profileId: string }>(
+      "team-lock-acquired",
+      () => fetchLocks(),
+    );
+    const unlistenReleased = listen<{ profileId: string }>(
+      "team-lock-released",
+      () => fetchLocks(),
+    );
+
+    return () => {
+      unlistenAcquired.then((fn) => fn());
+      unlistenReleased.then((fn) => fn());
+    };
+  }, [fetchLocks]);
+
+  const isProfileLocked = useCallback(
+    (profileId: string): boolean => {
+      const lock = locks.find((l) => l.profileId === profileId);
+      if (!lock) return false;
+      if (currentUserId && lock.lockedBy === currentUserId) return false;
+      return true;
+    },
+    [locks, currentUserId],
+  );
+
+  const getLockInfo = useCallback(
+    (profileId: string): ProfileLockInfo | undefined => {
+      return locks.find((l) => l.profileId === profileId);
+    },
+    [locks],
+  );
+
+  return { locks, isProfileLocked, getLockInfo, refetchLocks: fetchLocks };
+}
@@ -120,7 +120,8 @@
      "removed": "Encryption password removed",
      "passwordSaved": "Encryption password set",
      "passwordMismatch": "Passwords do not match",
-      "passwordTooShort": "Password must be at least 8 characters"
+      "passwordTooShort": "Password must be at least 8 characters",
+      "requiresProOrOwner": "Profile encryption is available for Pro users and team owners."
    },
    "commercial": {
      "title": "Commercial License",
@@ -146,7 +147,8 @@
      "groups": "Groups",
      "syncService": "Account",
      "integrations": "Integrations",
-      "importProfile": "Import Profile"
+      "importProfile": "Import Profile",
+      "extensions": "Extensions"
    }
  },
  "profiles": {
@@ -339,6 +341,19 @@
      "logoutConfirm": "Are you sure you want to log out? Cloud sync will stop.",
      "loginSuccess": "Successfully logged in!",
      "logoutSuccess": "Successfully logged out."
+    },
+    "team": {
+      "title": "Team",
+      "name": "Team Name",
+      "role": "Role",
+      "roleOwner": "Owner",
+      "roleAdmin": "Admin",
+      "roleMember": "Member",
+      "manageOnWeb": "Manage team on the web dashboard",
+      "profileLocked": "In use by {{email}}",
+      "profileLockedShort": "In use",
+      "cannotLaunchLocked": "Cannot launch — profile is in use by {{email}}",
+      "createdBy": "Created by {{email}}"
    }
  },
  "integrations": {
@@ -503,6 +518,7 @@
      "verifying": "Verifying {{browser}} {{version}}",
      "syncing": "Syncing...",
      "syncingProfile": "Syncing profile '{{name}}'...",
+      "syncingProfileWithProgress": "{{count}} files ({{size}})",
      "updatingVersions": "Updating browser versions..."
    }
  },
@@ -629,6 +645,8 @@
  "warnings": {
    "windowResizeTitle": "Custom Window Dimensions",
    "windowResizeDescription": "Changing browser window dimensions may increase the chance of website detection that browser information is spoofed.",
+    "windowResizeCamoufoxTitle": "Viewport Locked by Camoufox",
+    "windowResizeCamoufoxDescription": "Camoufox locks the viewport to the spoofed screen dimensions for anti-fingerprinting. Resizing the window may cause cropped or grey areas. This is expected behavior.",
    "dontShowAgain": "Don't show this again",
    "continue": "Continue",
    "cancel": "Cancel"
@@ -676,6 +694,88 @@
      "error": "Failed to export cookies"
    }
  },
+  "profileInfo": {
+    "title": "Profile Details",
+    "tabs": {
+      "info": "Info",
+      "settings": "Settings"
+    },
+    "fields": {
+      "profileId": "Profile ID",
+      "browser": "Browser",
+      "releaseType": "Release Type",
+      "proxyVpn": "Proxy / VPN",
+      "group": "Group",
+      "tags": "Tags",
+      "note": "Note",
+      "syncStatus": "Sync Status",
+      "lastLaunched": "Last Launched",
+      "hostOs": "Host OS",
+      "ephemeral": "Ephemeral",
+      "extensionGroup": "Extension Group"
+    },
+    "values": {
+      "none": "None",
+      "never": "Never",
+      "copied": "Copied!",
+      "yes": "Yes"
+    },
+    "network": {
+      "bypassRules": "Proxy Bypass Rules",
+      "bypassRulesTitle": "Proxy Bypass Rules",
+      "bypassRulesDescription": "Requests matching these rules will connect directly, bypassing the proxy.",
+      "addRule": "Add Rule",
+      "rulePlaceholder": "e.g. example.com, 192.168.1.*, .*\\.local",
+      "noRules": "No bypass rules configured.",
+      "ruleTypes": "Supports hostnames, IP addresses, and regex patterns."
+    },
+    "actions": {
+      "manageCookies": "Manage Cookies"
+    },
+    "clone": {
+      "title": "Clone Profile",
+      "description": "Enter a name for the cloned profile",
+      "namePlaceholder": "Profile name",
+      "button": "Clone"
+    }
+  },
+  "extensions": {
+    "title": "Extensions",
+    "description": "Manage browser extensions and extension groups for your profiles.",
+    "upload": "Upload",
+    "delete": "Delete",
+    "extensionsTab": "Extensions",
+    "groupsTab": "Groups",
+    "managedNotice": "Extensions managed here will replace any manually installed extensions in profiles when launched.",
+    "proRequired": "Extension management is a Pro feature",
+    "empty": "No extensions uploaded yet.",
+    "noGroups": "No extension groups created yet.",
+    "createGroup": "Create Group",
+    "addToGroup": "Add extension...",
+    "removeFromGroup": "Remove from group",
+    "deleteGroup": "Delete group",
+    "extensionGroup": "Extension Group",
+    "compatibility": {
+      "label": "Compatibility",
+      "chromium": "Chromium",
+      "firefox": "Firefox",
+      "both": "Chromium & Firefox"
+    },
+    "selectedFile": "Selected file",
+    "namePlaceholder": "Extension name",
+    "groupNamePlaceholder": "Group name",
+    "uploadSuccess": "Extension uploaded successfully",
+    "deleteSuccess": "Extension deleted successfully",
+    "groupCreateSuccess": "Extension group created successfully",
+    "groupUpdateSuccess": "Extension group updated successfully",
+    "groupDeleteSuccess": "Extension group deleted successfully",
+    "deleteConfirmTitle": "Delete Extension",
+    "deleteConfirmDescription": "Are you sure you want to delete \"{{name}}\"? This action cannot be undone.",
+    "deleteGroupConfirmTitle": "Delete Extension Group",
+    "deleteGroupConfirmDescription": "Are you sure you want to delete the group \"{{name}}\"? This action cannot be undone.",
+    "invalidFileType": "Invalid file type. Please upload a .crx, .xpi, or .zip file.",
+    "readError": "Failed to read the extension file."
+  },
  "pro": {
    "badge": "PRO",
    "fingerprintLocked": "Fingerprint editing is a Pro feature",
@@ -120,7 +120,8 @@
      "removed": "Contraseña de cifrado eliminada",
      "passwordSaved": "Contraseña de cifrado establecida",
      "passwordMismatch": "Las contraseñas no coinciden",
-      "passwordTooShort": "La contraseña debe tener al menos 8 caracteres"
+      "passwordTooShort": "La contraseña debe tener al menos 8 caracteres",
+      "requiresProOrOwner": "El cifrado de perfiles está disponible para usuarios Pro y propietarios de equipos."
    },
    "commercial": {
      "title": "Licencia Comercial",
@@ -146,7 +147,8 @@
      "groups": "Grupos",
      "syncService": "Cuenta",
      "integrations": "Integraciones",
-      "importProfile": "Importar Perfil"
+      "importProfile": "Importar Perfil",
+      "extensions": "Extensiones"
    }
  },
  "profiles": {
@@ -339,6 +341,19 @@
      "logoutConfirm": "¿Estás seguro de que deseas cerrar sesión? La sincronización en la nube se detendrá.",
      "loginSuccess": "¡Sesión iniciada exitosamente!",
      "logoutSuccess": "Sesión cerrada exitosamente."
+    },
+    "team": {
+      "title": "Equipo",
+      "name": "Nombre del Equipo",
+      "role": "Rol",
+      "roleOwner": "Propietario",
+      "roleAdmin": "Administrador",
+      "roleMember": "Miembro",
+      "manageOnWeb": "Gestionar equipo en el panel web",
+      "profileLocked": "En uso por {{email}}",
+      "profileLockedShort": "En uso",
+      "cannotLaunchLocked": "No se puede iniciar — el perfil está en uso por {{email}}",
+      "createdBy": "Creado por {{email}}"
    }
  },
  "integrations": {
@@ -503,6 +518,7 @@
      "verifying": "Verificando {{browser}} {{version}}",
      "syncing": "Sincronizando...",
      "syncingProfile": "Sincronizando perfil '{{name}}'...",
+      "syncingProfileWithProgress": "{{count}} archivos ({{size}})",
      "updatingVersions": "Actualizando versiones de navegadores..."
    }
  },
@@ -629,6 +645,8 @@
  "warnings": {
    "windowResizeTitle": "Dimensiones de ventana personalizadas",
    "windowResizeDescription": "Cambiar las dimensiones de la ventana del navegador puede aumentar la posibilidad de que los sitios web detecten que la información del navegador está falsificada.",
+    "windowResizeCamoufoxTitle": "Viewport bloqueado por Camoufox",
+    "windowResizeCamoufoxDescription": "Camoufox bloquea el viewport a las dimensiones de pantalla falsificadas para anti-fingerprinting. Redimensionar la ventana puede causar áreas recortadas o grises. Este es el comportamiento esperado.",
    "dontShowAgain": "No mostrar esto de nuevo",
    "continue": "Continuar",
    "cancel": "Cancelar"
@@ -676,6 +694,88 @@
      "error": "Error al exportar cookies"
    }
  },
+  "profileInfo": {
+    "title": "Detalles del Perfil",
+    "tabs": {
+      "info": "Info",
+      "settings": "Configuración"
+    },
+    "fields": {
+      "profileId": "ID del Perfil",
+      "browser": "Navegador",
+      "releaseType": "Tipo de Versión",
+      "proxyVpn": "Proxy / VPN",
+      "group": "Grupo",
+      "tags": "Etiquetas",
+      "note": "Nota",
+      "syncStatus": "Estado de Sincronización",
+      "lastLaunched": "Último Lanzamiento",
+      "hostOs": "SO Host",
+      "ephemeral": "Efímero",
+      "extensionGroup": "Grupo de Extensiones"
+    },
+    "values": {
+      "none": "Ninguno",
+      "never": "Nunca",
+      "copied": "¡Copiado!",
+      "yes": "Sí"
+    },
+    "network": {
+      "bypassRules": "Reglas de Omisión de Proxy",
+      "bypassRulesTitle": "Reglas de Omisión de Proxy",
+      "bypassRulesDescription": "Las solicitudes que coincidan con estas reglas se conectarán directamente, omitiendo el proxy.",
+      "addRule": "Agregar Regla",
+      "rulePlaceholder": "ej. example.com, 192.168.1.*, .*\\.local",
+      "noRules": "No hay reglas de omisión configuradas.",
+      "ruleTypes": "Soporta nombres de host, direcciones IP y patrones regex."
+    },
+    "actions": {
+      "manageCookies": "Administrar Cookies"
+    },
+    "clone": {
+      "title": "Clonar Perfil",
+      "description": "Ingrese un nombre para el perfil clonado",
+      "namePlaceholder": "Nombre del perfil",
+      "button": "Clonar"
+    }
+  },
+  "extensions": {
+    "title": "Extensiones",
+    "description": "Administra extensiones de navegador y grupos de extensiones para tus perfiles.",
+    "upload": "Subir",
+    "delete": "Eliminar",
+    "extensionsTab": "Extensiones",
+    "groupsTab": "Grupos",
+    "managedNotice": "Las extensiones administradas aquí reemplazarán cualquier extensión instalada manualmente en los perfiles al iniciarlos.",
+    "proRequired": "La gestión de extensiones es una función Pro",
+    "empty": "No se han subido extensiones aún.",
+    "noGroups": "No se han creado grupos de extensiones aún.",
+    "createGroup": "Crear Grupo",
+    "addToGroup": "Agregar extensión...",
+    "removeFromGroup": "Eliminar del grupo",
+    "deleteGroup": "Eliminar grupo",
+    "extensionGroup": "Grupo de Extensiones",
+    "compatibility": {
+      "label": "Compatibilidad",
+      "chromium": "Chromium",
+      "firefox": "Firefox",
+      "both": "Chromium y Firefox"
+    },
+    "selectedFile": "Archivo seleccionado",
+    "namePlaceholder": "Nombre de la extensión",
+    "groupNamePlaceholder": "Nombre del grupo",
+    "uploadSuccess": "Extensión subida exitosamente",
+    "deleteSuccess": "Extensión eliminada exitosamente",
+    "groupCreateSuccess": "Grupo de extensiones creado exitosamente",
+    "groupUpdateSuccess": "Grupo de extensiones actualizado exitosamente",
+    "groupDeleteSuccess": "Grupo de extensiones eliminado exitosamente",
+    "deleteConfirmTitle": "Eliminar Extensión",
+    "deleteConfirmDescription": "¿Estás seguro de que deseas eliminar \"{{name}}\"? Esta acción no se puede deshacer.",
+    "deleteGroupConfirmTitle": "Eliminar Grupo de Extensiones",
+    "deleteGroupConfirmDescription": "¿Estás seguro de que deseas eliminar el grupo \"{{name}}\"? Esta acción no se puede deshacer.",
+    "invalidFileType": "Tipo de archivo no válido. Suba un archivo .crx, .xpi o .zip.",
+    "readError": "No se pudo leer el archivo de extensión."
+  },
  "pro": {
    "badge": "PRO",
    "fingerprintLocked": "La edición de huellas digitales es una función Pro",
@@ -120,7 +120,8 @@
      "removed": "Mot de passe de chiffrement supprimé",
      "passwordSaved": "Mot de passe de chiffrement défini",
      "passwordMismatch": "Les mots de passe ne correspondent pas",
-      "passwordTooShort": "Le mot de passe doit contenir au moins 8 caractères"
+      "passwordTooShort": "Le mot de passe doit contenir au moins 8 caractères",
+      "requiresProOrOwner": "Le chiffrement des profils est disponible pour les utilisateurs Pro et les propriétaires d'équipe."
    },
    "commercial": {
      "title": "Licence commerciale",
@@ -146,7 +147,8 @@
      "groups": "Groupes",
      "syncService": "Compte",
      "integrations": "Intégrations",
-      "importProfile": "Importer un profil"
+      "importProfile": "Importer un profil",
+      "extensions": "Extensions"
    }
  },
  "profiles": {
@@ -339,6 +341,19 @@
      "logoutConfirm": "Êtes-vous sûr de vouloir vous déconnecter ? La synchronisation cloud sera arrêtée.",
      "loginSuccess": "Connexion réussie !",
      "logoutSuccess": "Déconnexion réussie."
+    },
+    "team": {
+      "title": "Équipe",
+      "name": "Nom de l'équipe",
+      "role": "Rôle",
+      "roleOwner": "Propriétaire",
+      "roleAdmin": "Administrateur",
+      "roleMember": "Membre",
+      "manageOnWeb": "Gérer l'équipe sur le tableau de bord web",
+      "profileLocked": "Utilisé par {{email}}",
+      "profileLockedShort": "En cours d'utilisation",
+      "cannotLaunchLocked": "Impossible de lancer — le profil est utilisé par {{email}}",
+      "createdBy": "Créé par {{email}}"
    }
  },
  "integrations": {
@@ -503,6 +518,7 @@
      "verifying": "Vérification de {{browser}} {{version}}",
      "syncing": "Synchronisation...",
      "syncingProfile": "Synchronisation du profil '{{name}}'...",
+      "syncingProfileWithProgress": "{{count}} fichiers ({{size}})",
      "updatingVersions": "Mise à jour des versions de navigateurs..."
    }
  },
@@ -629,6 +645,8 @@
  "warnings": {
    "windowResizeTitle": "Dimensions de fenêtre personnalisées",
    "windowResizeDescription": "Modifier les dimensions de la fenêtre du navigateur peut augmenter les chances de détection par les sites web que les informations du navigateur sont falsifiées.",
+    "windowResizeCamoufoxTitle": "Viewport verrouillé par Camoufox",
+    "windowResizeCamoufoxDescription": "Camoufox verrouille le viewport aux dimensions d'écran falsifiées pour l'anti-fingerprinting. Redimensionner la fenêtre peut causer des zones recadrées ou grises. C'est le comportement attendu.",
    "dontShowAgain": "Ne plus afficher",
    "continue": "Continuer",
    "cancel": "Annuler"
@@ -676,6 +694,88 @@
      "error": "Échec de l'exportation des cookies"
    }
  },
+  "profileInfo": {
+    "title": "Détails du Profil",
+    "tabs": {
+      "info": "Info",
+      "settings": "Paramètres"
+    },
+    "fields": {
+      "profileId": "ID du Profil",
+      "browser": "Navigateur",
+      "releaseType": "Type de Version",
+      "proxyVpn": "Proxy / VPN",
+      "group": "Groupe",
+      "tags": "Tags",
+      "note": "Note",
+      "syncStatus": "État de Synchronisation",
+      "lastLaunched": "Dernier Lancement",
+      "hostOs": "OS Hôte",
+      "ephemeral": "Éphémère",
+      "extensionGroup": "Groupe d'Extensions"
+    },
+    "values": {
+      "none": "Aucun",
+      "never": "Jamais",
+      "copied": "Copié !",
+      "yes": "Oui"
+    },
+    "network": {
+      "bypassRules": "Règles de Contournement du Proxy",
+      "bypassRulesTitle": "Règles de Contournement du Proxy",
+      "bypassRulesDescription": "Les requêtes correspondant à ces règles se connecteront directement, contournant le proxy.",
+      "addRule": "Ajouter une Règle",
+      "rulePlaceholder": "ex. example.com, 192.168.1.*, .*\\.local",
+      "noRules": "Aucune règle de contournement configurée.",
+      "ruleTypes": "Prend en charge les noms d'hôte, les adresses IP et les expressions régulières."
+    },
+    "actions": {
+      "manageCookies": "Gérer les Cookies"
+    },
+    "clone": {
+      "title": "Cloner le Profil",
+      "description": "Entrez un nom pour le profil cloné",
+      "namePlaceholder": "Nom du profil",
+      "button": "Cloner"
+    }
+  },
+  "extensions": {
+    "title": "Extensions",
+    "description": "Gérez les extensions de navigateur et les groupes d'extensions pour vos profils.",
+    "upload": "Télécharger",
+    "delete": "Supprimer",
+    "extensionsTab": "Extensions",
+    "groupsTab": "Groupes",
+    "managedNotice": "Les extensions gérées ici remplaceront toutes les extensions installées manuellement dans les profils lors du lancement.",
+    "proRequired": "La gestion des extensions est une fonctionnalité Pro",
+    "empty": "Aucune extension téléchargée pour l'instant.",
+    "noGroups": "Aucun groupe d'extensions créé pour l'instant.",
+    "createGroup": "Créer un Groupe",
+    "addToGroup": "Ajouter une extension...",
+    "removeFromGroup": "Retirer du groupe",
+    "deleteGroup": "Supprimer le groupe",
+    "extensionGroup": "Groupe d'Extensions",
+    "compatibility": {
+      "label": "Compatibilité",
+      "chromium": "Chromium",
+      "firefox": "Firefox",
+      "both": "Chromium et Firefox"
+    },
+    "selectedFile": "Fichier sélectionné",
+    "namePlaceholder": "Nom de l'extension",
+    "groupNamePlaceholder": "Nom du groupe",
+    "uploadSuccess": "Extension téléchargée avec succès",
+    "deleteSuccess": "Extension supprimée avec succès",
+    "groupCreateSuccess": "Groupe d'extensions créé avec succès",
+    "groupUpdateSuccess": "Groupe d'extensions mis à jour avec succès",
+    "groupDeleteSuccess": "Groupe d'extensions supprimé avec succès",
+    "deleteConfirmTitle": "Supprimer l'Extension",
+    "deleteConfirmDescription": "Êtes-vous sûr de vouloir supprimer \"{{name}}\" ? Cette action est irréversible.",
+    "deleteGroupConfirmTitle": "Supprimer le Groupe d'Extensions",
+    "deleteGroupConfirmDescription": "Êtes-vous sûr de vouloir supprimer le groupe \"{{name}}\" ? Cette action est irréversible.",
+    "invalidFileType": "Type de fichier non valide. Veuillez télécharger un fichier .crx, .xpi ou .zip.",
+    "readError": "Impossible de lire le fichier d'extension."
+  },
  "pro": {
    "badge": "PRO",
    "fingerprintLocked": "La modification d'empreinte est une fonctionnalité Pro",
@@ -120,7 +120,8 @@
      "removed": "暗号化パスワードが削除されました",
      "passwordSaved": "暗号化パスワードが設定されました",
      "passwordMismatch": "パスワードが一致しません",
-      "passwordTooShort": "パスワードは8文字以上である必要があります"
+      "passwordTooShort": "パスワードは8文字以上である必要があります",
+      "requiresProOrOwner": "プロファイルの暗号化はProユーザーとチームオーナーのみ利用できます。"
    },
    "commercial": {
      "title": "商用ライセンス",
@@ -146,7 +147,8 @@
      "groups": "グループ",
      "syncService": "アカウント",
      "integrations": "統合",
-      "importProfile": "プロファイルをインポート"
+      "importProfile": "プロファイルをインポート",
+      "extensions": "拡張機能"
    }
  },
  "profiles": {
@@ -339,6 +341,19 @@
      "logoutConfirm": "ログアウトしてもよろしいですか？クラウド同期が停止します。",
      "loginSuccess": "ログインに成功しました！",
      "logoutSuccess": "ログアウトしました。"
+    },
+    "team": {
+      "title": "チーム",
+      "name": "チーム名",
+      "role": "役割",
+      "roleOwner": "オーナー",
+      "roleAdmin": "管理者",
+      "roleMember": "メンバー",
+      "manageOnWeb": "Webダッシュボードでチームを管理",
+      "profileLocked": "{{email}} が使用中",
+      "profileLockedShort": "使用中",
+      "cannotLaunchLocked": "起動できません — {{email}} がプロファイルを使用中です",
+      "createdBy": "{{email}} が作成"
    }
  },
  "integrations": {
@@ -503,6 +518,7 @@
      "verifying": "{{browser}} {{version}} を確認中",
      "syncing": "同期中...",
      "syncingProfile": "プロファイル '{{name}}' を同期中...",
+      "syncingProfileWithProgress": "{{count}} ファイル ({{size}})",
      "updatingVersions": "ブラウザバージョンを更新中..."
    }
  },
@@ -629,6 +645,8 @@
  "warnings": {
    "windowResizeTitle": "カスタムウィンドウサイズ",
    "windowResizeDescription": "ブラウザウィンドウのサイズを変更すると、ブラウザ情報が偽装されていることをウェブサイトに検出される可能性が高くなります。",
+    "windowResizeCamoufoxTitle": "Camoufoxによりビューポートがロックされています",
+    "windowResizeCamoufoxDescription": "Camoufoxはアンチフィンガープリントのためにビューポートを偽装された画面サイズにロックします。ウィンドウのサイズを変更すると、切り取られた領域やグレーの領域が表示される場合があります。これは想定された動作です。",
    "dontShowAgain": "今後表示しない",
    "continue": "続行",
    "cancel": "キャンセル"
@@ -676,6 +694,88 @@
      "error": "Cookieのエクスポートに失敗しました"
    }
  },
+  "profileInfo": {
+    "title": "プロフィール詳細",
+    "tabs": {
+      "info": "情報",
+      "settings": "設定"
+    },
+    "fields": {
+      "profileId": "プロフィールID",
+      "browser": "ブラウザ",
+      "releaseType": "リリースタイプ",
+      "proxyVpn": "プロキシ / VPN",
+      "group": "グループ",
+      "tags": "タグ",
+      "note": "メモ",
+      "syncStatus": "同期ステータス",
+      "lastLaunched": "最終起動",
+      "hostOs": "ホストOS",
+      "ephemeral": "エフェメラル",
+      "extensionGroup": "拡張機能グループ"
+    },
+    "values": {
+      "none": "なし",
+      "never": "なし",
+      "copied": "コピーしました！",
+      "yes": "はい"
+    },
+    "network": {
+      "bypassRules": "プロキシバイパスルール",
+      "bypassRulesTitle": "プロキシバイパスルール",
+      "bypassRulesDescription": "これらのルールに一致するリクエストは、プロキシをバイパスして直接接続します。",
+      "addRule": "ルールを追加",
+      "rulePlaceholder": "例: example.com, 192.168.1.*, .*\\.local",
+      "noRules": "バイパスルールは設定されていません。",
+      "ruleTypes": "ホスト名、IPアドレス、正規表現パターンをサポートしています。"
+    },
+    "actions": {
+      "manageCookies": "Cookieを管理"
+    },
+    "clone": {
+      "title": "プロフィールを複製",
+      "description": "複製されたプロフィールの名前を入力してください",
+      "namePlaceholder": "プロフィール名",
+      "button": "複製"
+    }
+  },
+  "extensions": {
+    "title": "拡張機能",
+    "description": "プロファイル用のブラウザ拡張機能と拡張機能グループを管理します。",
+    "upload": "アップロード",
+    "delete": "削除",
+    "extensionsTab": "拡張機能",
+    "groupsTab": "グループ",
+    "managedNotice": "ここで管理される拡張機能は、起動時にプロファイルに手動でインストールされた拡張機能を置き換えます。",
+    "proRequired": "拡張機能管理はプロ機能です",
+    "empty": "まだ拡張機能がアップロードされていません。",
+    "noGroups": "まだ拡張機能グループが作成されていません。",
+    "createGroup": "グループを作成",
+    "addToGroup": "拡張機能を追加...",
+    "removeFromGroup": "グループから削除",
+    "deleteGroup": "グループを削除",
+    "extensionGroup": "拡張機能グループ",
+    "compatibility": {
+      "label": "互換性",
+      "chromium": "Chromium",
+      "firefox": "Firefox",
+      "both": "Chromium & Firefox"
+    },
+    "selectedFile": "選択されたファイル",
+    "namePlaceholder": "拡張機能名",
+    "groupNamePlaceholder": "グループ名",
+    "uploadSuccess": "拡張機能が正常にアップロードされました",
+    "deleteSuccess": "拡張機能が正常に削除されました",
+    "groupCreateSuccess": "拡張機能グループが正常に作成されました",
+    "groupUpdateSuccess": "拡張機能グループが正常に更新されました",
+    "groupDeleteSuccess": "拡張機能グループが正常に削除されました",
+    "deleteConfirmTitle": "拡張機能を削除",
+    "deleteConfirmDescription": "「{{name}}」を削除してもよろしいですか？この操作は元に戻せません。",
+    "deleteGroupConfirmTitle": "拡張機能グループを削除",
+    "deleteGroupConfirmDescription": "グループ「{{name}}」を削除してもよろしいですか？この操作は元に戻せません。",
+    "invalidFileType": "無効なファイルタイプです。.crx、.xpi、または .zip ファイルをアップロードしてください。",
+    "readError": "拡張機能ファイルの読み取りに失敗しました。"
+  },
  "pro": {
    "badge": "PRO",
    "fingerprintLocked": "フィンガープリント編集はプロ機能です",
@@ -120,7 +120,8 @@
      "removed": "Senha de criptografia removida",
      "passwordSaved": "Senha de criptografia definida",
      "passwordMismatch": "As senhas não coincidem",
-      "passwordTooShort": "A senha deve ter pelo menos 8 caracteres"
+      "passwordTooShort": "A senha deve ter pelo menos 8 caracteres",
+      "requiresProOrOwner": "A criptografia de perfis está disponível para usuários Pro e proprietários de equipe."
    },
    "commercial": {
      "title": "Licença Comercial",
@@ -146,7 +147,8 @@
      "groups": "Grupos",
      "syncService": "Conta",
      "integrations": "Integrações",
-      "importProfile": "Importar Perfil"
+      "importProfile": "Importar Perfil",
+      "extensions": "Extensões"
    }
  },
  "profiles": {
@@ -339,6 +341,19 @@
      "logoutConfirm": "Tem certeza de que deseja sair? A sincronização na nuvem será interrompida.",
      "loginSuccess": "Login realizado com sucesso!",
      "logoutSuccess": "Logout realizado com sucesso."
+    },
+    "team": {
+      "title": "Equipe",
+      "name": "Nome da Equipe",
+      "role": "Função",
+      "roleOwner": "Proprietário",
+      "roleAdmin": "Administrador",
+      "roleMember": "Membro",
+      "manageOnWeb": "Gerenciar equipe no painel web",
+      "profileLocked": "Em uso por {{email}}",
+      "profileLockedShort": "Em uso",
+      "cannotLaunchLocked": "Não é possível iniciar — o perfil está em uso por {{email}}",
+      "createdBy": "Criado por {{email}}"
    }
  },
  "integrations": {
@@ -503,6 +518,7 @@
      "verifying": "Verificando {{browser}} {{version}}",
      "syncing": "Sincronizando...",
      "syncingProfile": "Sincronizando perfil '{{name}}'...",
+      "syncingProfileWithProgress": "{{count}} arquivos ({{size}})",
      "updatingVersions": "Atualizando versões de navegadores..."
    }
  },
@@ -629,6 +645,8 @@
  "warnings": {
    "windowResizeTitle": "Dimensões de janela personalizadas",
    "windowResizeDescription": "Alterar as dimensões da janela do navegador pode aumentar a chance de detecção pelos sites de que as informações do navegador estão falsificadas.",
+    "windowResizeCamoufoxTitle": "Viewport bloqueado pelo Camoufox",
+    "windowResizeCamoufoxDescription": "O Camoufox bloqueia o viewport nas dimensões de tela falsificadas para anti-fingerprinting. Redimensionar a janela pode causar áreas cortadas ou cinzas. Este é o comportamento esperado.",
    "dontShowAgain": "Não mostrar novamente",
    "continue": "Continuar",
    "cancel": "Cancelar"
@@ -676,6 +694,88 @@
      "error": "Falha ao exportar cookies"
    }
  },
+  "profileInfo": {
+    "title": "Detalhes do Perfil",
+    "tabs": {
+      "info": "Info",
+      "settings": "Configurações"
+    },
+    "fields": {
+      "profileId": "ID do Perfil",
+      "browser": "Navegador",
+      "releaseType": "Tipo de Versão",
+      "proxyVpn": "Proxy / VPN",
+      "group": "Grupo",
+      "tags": "Tags",
+      "note": "Nota",
+      "syncStatus": "Status de Sincronização",
+      "lastLaunched": "Último Lançamento",
+      "hostOs": "SO Host",
+      "ephemeral": "Efêmero",
+      "extensionGroup": "Grupo de Extensões"
+    },
+    "values": {
+      "none": "Nenhum",
+      "never": "Nunca",
+      "copied": "Copiado!",
+      "yes": "Sim"
+    },
+    "network": {
+      "bypassRules": "Regras de Bypass de Proxy",
+      "bypassRulesTitle": "Regras de Bypass de Proxy",
+      "bypassRulesDescription": "Solicitações que correspondam a estas regras se conectarão diretamente, ignorando o proxy.",
+      "addRule": "Adicionar Regra",
+      "rulePlaceholder": "ex. example.com, 192.168.1.*, .*\\.local",
+      "noRules": "Nenhuma regra de bypass configurada.",
+      "ruleTypes": "Suporta nomes de host, endereços IP e padrões regex."
+    },
+    "actions": {
+      "manageCookies": "Gerenciar Cookies"
+    },
+    "clone": {
+      "title": "Clonar Perfil",
+      "description": "Digite um nome para o perfil clonado",
+      "namePlaceholder": "Nome do perfil",
+      "button": "Clonar"
+    }
+  },
+  "extensions": {
+    "title": "Extensões",
+    "description": "Gerencie extensões de navegador e grupos de extensões para seus perfis.",
+    "upload": "Enviar",
+    "delete": "Excluir",
+    "extensionsTab": "Extensões",
+    "groupsTab": "Grupos",
+    "managedNotice": "As extensões gerenciadas aqui substituirão quaisquer extensões instaladas manualmente nos perfis ao serem iniciados.",
+    "proRequired": "O gerenciamento de extensões é um recurso Pro",
+    "empty": "Nenhuma extensão enviada ainda.",
+    "noGroups": "Nenhum grupo de extensões criado ainda.",
+    "createGroup": "Criar Grupo",
+    "addToGroup": "Adicionar extensão...",
+    "removeFromGroup": "Remover do grupo",
+    "deleteGroup": "Excluir grupo",
+    "extensionGroup": "Grupo de Extensões",
+    "compatibility": {
+      "label": "Compatibilidade",
+      "chromium": "Chromium",
+      "firefox": "Firefox",
+      "both": "Chromium e Firefox"
+    },
+    "selectedFile": "Arquivo selecionado",
+    "namePlaceholder": "Nome da extensão",
+    "groupNamePlaceholder": "Nome do grupo",
+    "uploadSuccess": "Extensão enviada com sucesso",
+    "deleteSuccess": "Extensão excluída com sucesso",
+    "groupCreateSuccess": "Grupo de extensões criado com sucesso",
+    "groupUpdateSuccess": "Grupo de extensões atualizado com sucesso",
+    "groupDeleteSuccess": "Grupo de extensões excluído com sucesso",
+    "deleteConfirmTitle": "Excluir Extensão",
+    "deleteConfirmDescription": "Tem certeza de que deseja excluir \"{{name}}\"? Esta ação não pode ser desfeita.",
+    "deleteGroupConfirmTitle": "Excluir Grupo de Extensões",
+    "deleteGroupConfirmDescription": "Tem certeza de que deseja excluir o grupo \"{{name}}\"? Esta ação não pode ser desfeita.",
+    "invalidFileType": "Tipo de arquivo inválido. Envie um arquivo .crx, .xpi ou .zip.",
+    "readError": "Falha ao ler o arquivo de extensão."
+  },
  "pro": {
    "badge": "PRO",
    "fingerprintLocked": "A edição de impressão digital é um recurso Pro",
@@ -120,7 +120,8 @@
      "removed": "Пароль шифрования удалён",
      "passwordSaved": "Пароль шифрования установлен",
      "passwordMismatch": "Пароли не совпадают",
-      "passwordTooShort": "Пароль должен содержать не менее 8 символов"
+      "passwordTooShort": "Пароль должен содержать не менее 8 символов",
+      "requiresProOrOwner": "Шифрование профилей доступно для пользователей Pro и владельцев команд."
    },
    "commercial": {
      "title": "Коммерческая лицензия",
@@ -146,7 +147,8 @@
      "groups": "Группы",
      "syncService": "Аккаунт",
      "integrations": "Интеграции",
-      "importProfile": "Импорт профиля"
+      "importProfile": "Импорт профиля",
+      "extensions": "Расширения"
    }
  },
  "profiles": {
@@ -339,6 +341,19 @@
      "logoutConfirm": "Вы уверены, что хотите выйти? Облачная синхронизация будет остановлена.",
      "loginSuccess": "Вход выполнен успешно!",
      "logoutSuccess": "Выход выполнен успешно."
+    },
+    "team": {
+      "title": "Команда",
+      "name": "Название команды",
+      "role": "Роль",
+      "roleOwner": "Владелец",
+      "roleAdmin": "Администратор",
+      "roleMember": "Участник",
+      "manageOnWeb": "Управление командой в веб-панели",
+      "profileLocked": "Используется {{email}}",
+      "profileLockedShort": "Используется",
+      "cannotLaunchLocked": "Невозможно запустить — профиль используется {{email}}",
+      "createdBy": "Создано {{email}}"
    }
  },
  "integrations": {
@@ -503,6 +518,7 @@
      "verifying": "Проверка {{browser}} {{version}}",
      "syncing": "Синхронизация...",
      "syncingProfile": "Синхронизация профиля '{{name}}'...",
+      "syncingProfileWithProgress": "{{count}} файлов ({{size}})",
      "updatingVersions": "Обновление версий браузеров..."
    }
  },
@@ -629,6 +645,8 @@
  "warnings": {
    "windowResizeTitle": "Пользовательские размеры окна",
    "windowResizeDescription": "Изменение размеров окна браузера может повысить вероятность обнаружения сайтами того, что информация браузера подменена.",
+    "windowResizeCamoufoxTitle": "Viewport заблокирован Camoufox",
+    "windowResizeCamoufoxDescription": "Camoufox блокирует viewport на подменённых размерах экрана для защиты от фингерпринтинга. Изменение размера окна может вызвать обрезанные или серые области. Это ожидаемое поведение.",
    "dontShowAgain": "Больше не показывать",
    "continue": "Продолжить",
    "cancel": "Отмена"
@@ -676,6 +694,88 @@
      "error": "Ошибка экспорта cookies"
    }
  },
+  "profileInfo": {
+    "title": "Детали профиля",
+    "tabs": {
+      "info": "Информация",
+      "settings": "Настройки"
+    },
+    "fields": {
+      "profileId": "ID профиля",
+      "browser": "Браузер",
+      "releaseType": "Тип релиза",
+      "proxyVpn": "Прокси / VPN",
+      "group": "Группа",
+      "tags": "Теги",
+      "note": "Заметка",
+      "syncStatus": "Статус синхронизации",
+      "lastLaunched": "Последний запуск",
+      "hostOs": "ОС хоста",
+      "ephemeral": "Эфемерный",
+      "extensionGroup": "Группа расширений"
+    },
+    "values": {
+      "none": "Нет",
+      "never": "Никогда",
+      "copied": "Скопировано!",
+      "yes": "Да"
+    },
+    "network": {
+      "bypassRules": "Правила обхода прокси",
+      "bypassRulesTitle": "Правила обхода прокси",
+      "bypassRulesDescription": "Запросы, соответствующие этим правилам, будут подключаться напрямую, минуя прокси.",
+      "addRule": "Добавить правило",
+      "rulePlaceholder": "напр. example.com, 192.168.1.*, .*\\.local",
+      "noRules": "Правила обхода не настроены.",
+      "ruleTypes": "Поддерживает имена хостов, IP-адреса и шаблоны регулярных выражений."
+    },
+    "actions": {
+      "manageCookies": "Управление Cookie"
+    },
+    "clone": {
+      "title": "Клонировать профиль",
+      "description": "Введите имя для клонированного профиля",
+      "namePlaceholder": "Имя профиля",
+      "button": "Клонировать"
+    }
+  },
+  "extensions": {
+    "title": "Расширения",
+    "description": "Управляйте расширениями браузера и группами расширений для ваших профилей.",
+    "upload": "Загрузить",
+    "delete": "Удалить",
+    "extensionsTab": "Расширения",
+    "groupsTab": "Группы",
+    "managedNotice": "Расширения, управляемые здесь, заменят все вручную установленные расширения в профилях при запуске.",
+    "proRequired": "Управление расширениями — функция Pro",
+    "empty": "Расширения ещё не загружены.",
+    "noGroups": "Группы расширений ещё не созданы.",
+    "createGroup": "Создать группу",
+    "addToGroup": "Добавить расширение...",
+    "removeFromGroup": "Удалить из группы",
+    "deleteGroup": "Удалить группу",
+    "extensionGroup": "Группа расширений",
+    "compatibility": {
+      "label": "Совместимость",
+      "chromium": "Chromium",
+      "firefox": "Firefox",
+      "both": "Chromium и Firefox"
+    },
+    "selectedFile": "Выбранный файл",
+    "namePlaceholder": "Название расширения",
+    "groupNamePlaceholder": "Название группы",
+    "uploadSuccess": "Расширение успешно загружено",
+    "deleteSuccess": "Расширение успешно удалено",
+    "groupCreateSuccess": "Группа расширений успешно создана",
+    "groupUpdateSuccess": "Группа расширений успешно обновлена",
+    "groupDeleteSuccess": "Группа расширений успешно удалена",
+    "deleteConfirmTitle": "Удалить расширение",
+    "deleteConfirmDescription": "Вы уверены, что хотите удалить «{{name}}»? Это действие нельзя отменить.",
+    "deleteGroupConfirmTitle": "Удалить группу расширений",
+    "deleteGroupConfirmDescription": "Вы уверены, что хотите удалить группу «{{name}}»? Это действие нельзя отменить.",
+    "invalidFileType": "Недопустимый тип файла. Загрузите файл .crx, .xpi или .zip.",
+    "readError": "Не удалось прочитать файл расширения."
+  },
  "pro": {
    "badge": "PRO",
    "fingerprintLocked": "Редактирование отпечатка — функция Pro",
@@ -120,7 +120,8 @@
      "removed": "加密密码已删除",
      "passwordSaved": "加密密码已设置",
      "passwordMismatch": "密码不匹配",
-      "passwordTooShort": "密码必须至少8个字符"
+      "passwordTooShort": "密码必须至少8个字符",
+      "requiresProOrOwner": "配置文件加密仅适用于Pro用户和团队所有者。"
    },
    "commercial": {
      "title": "商业许可",
@@ -146,7 +147,8 @@
      "groups": "分组",
      "syncService": "账户",
      "integrations": "集成",
-      "importProfile": "导入配置文件"
+      "importProfile": "导入配置文件",
+      "extensions": "扩展程序"
    }
  },
  "profiles": {
@@ -339,6 +341,19 @@
      "logoutConfirm": "您确定要退出登录吗？云同步将会停止。",
      "loginSuccess": "登录成功！",
      "logoutSuccess": "已成功退出登录。"
+    },
+    "team": {
+      "title": "团队",
+      "name": "团队名称",
+      "role": "角色",
+      "roleOwner": "所有者",
+      "roleAdmin": "管理员",
+      "roleMember": "成员",
+      "manageOnWeb": "在网页控制台管理团队",
+      "profileLocked": "{{email}} 正在使用中",
+      "profileLockedShort": "使用中",
+      "cannotLaunchLocked": "无法启动 — 配置文件正被 {{email}} 使用",
+      "createdBy": "由 {{email}} 创建"
    }
  },
  "integrations": {
@@ -503,6 +518,7 @@
      "verifying": "正在验证 {{browser}} {{version}}",
      "syncing": "同步中...",
      "syncingProfile": "正在同步配置文件 '{{name}}'...",
+      "syncingProfileWithProgress": "{{count}} 个文件 ({{size}})",
      "updatingVersions": "正在更新浏览器版本..."
    }
  },
@@ -629,6 +645,8 @@
  "warnings": {
    "windowResizeTitle": "自定义窗口尺寸",
    "windowResizeDescription": "更改浏览器窗口尺寸可能会增加网站检测到浏览器信息被伪装的概率。",
+    "windowResizeCamoufoxTitle": "视口已被 Camoufox 锁定",
+    "windowResizeCamoufoxDescription": "Camoufox 将视口锁定为伪装的屏幕尺寸以防止指纹识别。调整窗口大小可能会导致内容被裁剪或出现灰色区域。这是预期行为。",
    "dontShowAgain": "不再显示",
    "continue": "继续",
    "cancel": "取消"
@@ -676,6 +694,88 @@
      "error": "导出 Cookies 失败"
    }
  },
+  "profileInfo": {
+    "title": "配置文件详情",
+    "tabs": {
+      "info": "信息",
+      "settings": "设置"
+    },
+    "fields": {
+      "profileId": "配置文件 ID",
+      "browser": "浏览器",
+      "releaseType": "发布类型",
+      "proxyVpn": "代理 / VPN",
+      "group": "分组",
+      "tags": "标签",
+      "note": "备注",
+      "syncStatus": "同步状态",
+      "lastLaunched": "上次启动",
+      "hostOs": "主机操作系统",
+      "ephemeral": "临时",
+      "extensionGroup": "扩展程序组"
+    },
+    "values": {
+      "none": "无",
+      "never": "从未",
+      "copied": "已复制！",
+      "yes": "是"
+    },
+    "network": {
+      "bypassRules": "代理绕过规则",
+      "bypassRulesTitle": "代理绕过规则",
+      "bypassRulesDescription": "匹配这些规则的请求将直接连接，绕过代理。",
+      "addRule": "添加规则",
+      "rulePlaceholder": "例如 example.com, 192.168.1.*, .*\\.local",
+      "noRules": "未配置绕过规则。",
+      "ruleTypes": "支持主机名、IP地址和正则表达式模式。"
+    },
+    "actions": {
+      "manageCookies": "管理 Cookie"
+    },
+    "clone": {
+      "title": "克隆配置文件",
+      "description": "输入克隆配置文件的名称",
+      "namePlaceholder": "配置文件名称",
+      "button": "克隆"
+    }
+  },
+  "extensions": {
+    "title": "扩展程序",
+    "description": "管理配置文件的浏览器扩展程序和扩展程序组。",
+    "upload": "上传",
+    "delete": "删除",
+    "extensionsTab": "扩展程序",
+    "groupsTab": "分组",
+    "managedNotice": "此处管理的扩展程序将在启动时替换配置文件中手动安装的所有扩展程序。",
+    "proRequired": "扩展程序管理是 Pro 功能",
+    "empty": "尚未上传任何扩展程序。",
+    "noGroups": "尚未创建任何扩展程序组。",
+    "createGroup": "创建分组",
+    "addToGroup": "添加扩展程序...",
+    "removeFromGroup": "从分组中移除",
+    "deleteGroup": "删除分组",
+    "extensionGroup": "扩展程序组",
+    "compatibility": {
+      "label": "兼容性",
+      "chromium": "Chromium",
+      "firefox": "Firefox",
+      "both": "Chromium 和 Firefox"
+    },
+    "selectedFile": "已选文件",
+    "namePlaceholder": "扩展程序名称",
+    "groupNamePlaceholder": "分组名称",
+    "uploadSuccess": "扩展程序上传成功",
+    "deleteSuccess": "扩展程序删除成功",
+    "groupCreateSuccess": "扩展程序组创建成功",
+    "groupUpdateSuccess": "扩展程序组更新成功",
+    "groupDeleteSuccess": "扩展程序组删除成功",
+    "deleteConfirmTitle": "删除扩展程序",
+    "deleteConfirmDescription": "确定要删除「{{name}}」吗？此操作无法撤消。",
+    "deleteGroupConfirmTitle": "删除扩展程序组",
+    "deleteGroupConfirmDescription": "确定要删除分组「{{name}}」吗？此操作无法撤消。",
+    "invalidFileType": "无效的文件类型。请上传 .crx、.xpi 或 .zip 文件。",
+    "readError": "读取扩展程序文件失败。"
+  },
  "pro": {
    "badge": "PRO",
    "fingerprintLocked": "指纹编辑是 Pro 功能",
@@ -232,6 +232,38 @@ export function dismissToast(id: string) {
  sonnerToast.dismiss(id);
 }

+function formatBytes(bytes: number): string {
+  if (bytes === 0) return "0 B";
+  const units = ["B", "KB", "MB", "GB"];
+  const i = Math.min(
+    Math.floor(Math.log(bytes) / Math.log(1024)),
+    units.length - 1,
+  );
+  const value = bytes / 1024 ** i;
+  return `${i === 0 ? value : value.toFixed(1)} ${units[i]}`;
+}
+
+export function showSyncProgressToast(
+  profileName: string,
+  totalFiles: number,
+  totalBytes: number,
+  options?: { id?: string },
+) {
+  const description = `${totalFiles} files (${formatBytes(totalBytes)})`;
+  return showToast({
+    type: "loading",
+    title: `Syncing profile '${profileName}'...`,
+    description,
+    id: options?.id,
+    duration: Number.POSITIVE_INFINITY,
+    onCancel: () => {
+      if (options?.id) {
+        dismissToast(options.id);
+      }
+    },
+  });
+}
+
 export function showUnifiedVersionUpdateToast(
  title: string,
  options?: {
@@ -31,6 +31,32 @@ export interface BrowserProfile {
  last_sync?: number; // Timestamp of last successful sync (epoch seconds)
  host_os?: string; // OS where profile was created ("macos", "windows", "linux")
  ephemeral?: boolean;
+  extension_group_id?: string;
+  proxy_bypass_rules?: string[];
+  created_by_id?: string;
+  created_by_email?: string;
+}
+
+export interface Extension {
+  id: string;
+  name: string;
+  file_name: string;
+  file_type: string;
+  browser_compatibility: string[];
+  created_at: number;
+  updated_at: number;
+  sync_enabled?: boolean;
+  last_sync?: number;
+}
+
+export interface ExtensionGroup {
+  id: string;
+  name: string;
+  extension_ids: string[];
+  created_at: number;
+  updated_at: number;
+  sync_enabled?: boolean;
+  last_sync?: number;
 }

 export type SyncMode = "Disabled" | "Regular" | "Encrypted";
@@ -52,6 +78,18 @@ export interface CloudUser {
  cloudProfilesUsed: number;
  proxyBandwidthLimitMb: number;
  proxyBandwidthUsedMb: number;
+  proxyBandwidthExtraMb: number;
+  teamId?: string;
+  teamName?: string;
+  teamRole?: string;
+}
+
+export interface ProfileLockInfo {
+  profileId: string;
+  lockedBy: string;
+  lockedByEmail: string;
+  lockedAt: string;
+  expiresAt?: string;
 }

 export interface CloudAuthState {